Configuring Kafka for Kerberos Over Ambari
Also available as:

Chapter 4. Creating Kafka Topics

When you use a script, command, or API to create a topic, an entry is created under ZooKeeper. The only user with access to ZooKeeper is the service account running Kafka (by default, kafka). Therefore, the first step toward creating a Kafka topic on a secure cluster is to run kinit, specifying the Kafka service keytab. The second step is to create the topic.

  1. Run kinit, specifying the Kafka service keytab. For example:

    kinit -k -t /etc/security/keytabs/kafka.service.keytab kafka/

  2. Next, create the topic. Run the command-line tool with the following options:

    /bin/ --zookeeper <hostname>:<port> --create --topic <topic-name> --partitions <number-of-partitions> --replication-factor <number-of-replicating-servers>

    For example:

    /bin/ --zookeeper --create --topic test_topic --partitions 2 --replication-factor 2
    Created topic "test_topic".

    For more information about parameters, see Basic Kafka Operations on the Apache Kafka website.


By default, permissions are set so that only the Kafka service user has access; no other user can read or write to the new topic. In other words, if your Kafka server is running with principal $KAFKA-USER, only that principal will be able to write to ZooKeeper.

For information about adding permissions, see Authorizing Access when Kerberos is Enabled.