Kafka Authorization Command Line Interface - Hortonworks Data Platform

Security

Also available as:

PDF

Contents

loading table of contents...

Kafka Authorization Command Line Interface

The Kafka Authorization CLI script, kafka-acls.sh, resides in the bin directory.

The following table lists ACL actions supported by the CLI script:

Action Type	Description
`--add`	Add an ACL.
`--remove`	Remove an ACL.
`--list`	List ACLs.

The following table lists additional options for the Authorization CLI:

Option	Description	Default	Option Type
`--authorizer`	The fully-qualified class name of the authorizer.	`kafka.security.auth.SimpleAclAuthorizer`	Configuration
`--authorizer-properties`	A list of key=value pairs that will be passed to authorizer for initialization. Use this option multiple times to specify multiple properties.		Configuration
`--cluster`	Specifies the cluster as resource.		Resource
`--topic <topic-name>`	Specifies the topic as resource.		Resource
`--consumer-group <consumer-group>`	Specifies the consumer group as resource.		Resource
`--allow-principal`	These principals will be used to generate an ACL with `Allow` permission. Specify principal in `PrincipalType:name` format, such as `user:devadmin`. To specify more than one principal in a single command, specify this option multiple times. For example: `--allow-principal user: test1@EXAMPLE.COM` `--allow-principal user:test2@EXAMPLE.COM`		Principal
`--deny-principal`	These principals will be used to generate an ACL with Deny permission. Principal is in `PrincipalType:name` format. Multiple principals can be specified (see the `--allow-principal` option).		Principal
`--allow-host`	IP address of the host from which the principals listed in `--allow-principal` will have access. To specify multiple hosts, specify this option multiple times.	if `--allow-principal` is specified, this defaults to *, which translates to "all hosts"	Host
`--deny-host`	IP address of the host from which the principals listed in `--deny-principal` will be denied access. To specify multiple hosts, specify this option multiple times.	if `--deny-principal` is specified, this defaults to *, which translates to "all hosts"	Host
`--operation`	An operation that will be allowed or denied based on principal options. Valid values: Read, Write, Create, Delete, Alter, Describe, ClusterAction, All	All	Operation
`--producer`	Convenience option to add or remove ACLs for the producer role. This will generate ACLs that allow WRITE, DESCRIBE on topic, and CREATE on cluster.		Convenience
`--consumer`	Convenience option to add/remove ACLs for consumer role. This will generate ACLs that allows READ, DESCRIBE on topic, and READ on consumer-group.		Convenience