Configuring Kafka for Kerberos Over Ambari
Also available as:
PDF

Kafka Authorization Command Line Interface

The Kafka Authorization CLI script, kafka-acls.sh, resides in the bin directory.

The following table lists ACL actions supported by the CLI script:

Action TypeDescription
--addAdd an ACL.
--removeRemove an ACL.
--listList ACLs.

The following table lists additional options for the Authorization CLI:

OptionDescriptionDefaultOption Type
--authorizerThe fully-qualified class name of the authorizer.kafka.security.auth.SimpleAclAuthorizerConfiguration
--authorizer-propertiesA list of key=value pairs that will be passed to authorizer for initialization. Use this option multiple times to specify multiple properties. Configuration
--clusterSpecifies the cluster as resource. Resource
--topic <topic-name>Specifies the topic as resource. Resource
--consumer-group <consumer-group>Specifies the consumer group as resource. Resource
--allow-principal

These principals will be used to generate an ACL with Allow permission.

Specify principal in PrincipalType:name format, such as user:devadmin.

To specify more than one principal in a single command, specify this option multiple times. For example:

--allow-principal user: test1@EXAMPLE.COM

--allow-principal user:test2@EXAMPLE.COM

Principal
--deny-principal

These principals will be used to generate an ACL with Deny permission.

Principal is in PrincipalType:name format.

Multiple principals can be specified (see the --allow-principal option).

Principal
--allow-hostIP address of the host from which the principals listed in --allow-principal will have access. To specify multiple hosts, specify this option multiple times.if --allow-principal is specified, this defaults to *, which translates to "all hosts"Host
--deny-host

IP Address of the host from which the principals listed in --deny-principal will be denied access. To specify multiple hosts, specify this option multiple times.

if --deny-principal is specified, this defaults to *, which translates to "all hosts"Host
--operation

An operation that will be allowed or denied based on principal options.

Valid values: Read, Write, Create, Delete, Alter, Describe, ClusterAction, All

AllOperation
--producer

Convenience option to add or remove ACLs for the producer role. This will generate ACLs that allow WRITE, DESCRIBE on topic, and CREATE on cluster.

Convenience
--consumer

Convenience option to add/remove ACLs for consumer role. This will generate ACLs that allows READ, DESCRIBE on topic, and READ on consumer-group.

Convenience