Configuring Kafka for Kerberos Over Ambari
Also available as:
PDF

Authorization Examples

By default, if a principal does not have an explicit ACL that allows access for an operation to a resource, access requests from the principal will be denied.

The following examples show how to add, remove, and list ACLs.

Grant Read/Write Access to a Topic

To add the following ACL:

"Principals user:bob and user:alice are allowed to perform Operation Read and Write on Topic Test-Topic from Host1 and Host2"

run the CLI with the following options:

bin/kafka-acls.sh --add --allow-principal user:bob --allow-principal user:alice --allow-host host1 --allow-host host2 --operation Read --operation Write --topic test-topic

Grant Full Access to Topic, Cluster, and Consumer Group

To add ACLs to a topic, specify --topic <topic-name> as the resource option. Similarly, to add ACLs to cluster, specify --cluster; to add ACLs to a consumer group, specify --consumer-group <group-name>.

The following examples grant full access for principal bob to topic test-topic and consumer group 10, across the cluster. Substitute your own values for principal name, topic name, and group name.

bin/kafka-acls.sh --topic test-topic --add --allow-principal user:bob --operation ALL --config /usr/hdp/current/kafka-broker/config/server.properties

bin/kafka-acls.sh --consumer-group 10 --add --allow-principal user:bob --operation ALL --config /usr/hdp/current/kafka-broker/config/server.properties

bin/kafka-acls.sh --cluster --add --allow-principal user:bob --operation ALL --config /usr/hdp/current/kafka-broker/config/server.properties

Add a Principal as Producer or Consumer

The most common use case for ACL management is to add or remove a principal as producer or consumer. The following convenience options handle these cases.

To add user:bob as a producer of Test-topic, run the following command:

bin/kafka-acls.sh --add --allow-principal user:bob --producer --topic test-topic

Similarly, to add user:alice as a consumer of test-topic with consumer group group-1, pass the --consumer option.

[Note]Note

When using the consumer option you must specify the consumer group.

bin/kafka-acls.sh --add --allow-principal user:bob --consumer --topic test-topic --consumer-group group-1

Deny Access to a Principal

In rare cases you might want to define an ACL that allows access to all but one or more principals. In this case, use the --deny-principal and --deny-host options.

For example, to allow all users to read from test-topic except user bob from host bad-host:

bin/kafka-acls.sh --add --allow-principal user:* --allow-host * --deny-principal user:bob --deny-host bad-host --operation Read --topic test-topic

Remove Access

Removing ACLs is similar to adding ACLs. The only difference is that you need to specify the --remove option instead of the --add option.

To remove the ACLs for principals bob and alice (added in "Grant Read/Write Access to a Topic"), run the CLI with the following options:

bin/kafka-acls.sh --remove --allow-principal user:bob --allow-principal user:alice --allow-host host1 --allow-host host2 --operation Read --operation Write --topic test-topic

Similarly, to remove a principal from a producer or consumer role, specify the --remove option instead of --add:

bin/kafka-acls.sh --remove --allow-principal user:bob --producer --topic test-topic

List ACLs

To list ACLs for any resource, specify the --list option with the resource. For example, to list all ACLs for Test-topic, run the CLI with following options:

bin/kafka-acls.sh --list --topic test-topic

Configure Authorizer Settings

To specify which authorizer to use, include the --authorizer option. For example:

--authorizer kafka.security.auth.SimpleAclAuthorizer ...

To specify one or more authorizer initialization settings, include the --authorizer-properties option; for example:

--authorizer-properties zookeeper.connect=localhost:2181 ...