Authorizing Access when Kerberos is Enabled
Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses ZooKeeper to store Access Control Lists (ACLs). Authorization can be done via Ranger (see the Kafka section of the Ranger Install Guide) or with native ACLs.
A Kafka ACL entry has the following general format:
Principal P is [Allowed/Denied] Operation O From Host H On Resource R
where
A principal is any entity that can be authenticated by the system, such as a user account, a thread or process running in the security context of a user account, or security groups of such accounts.
Principal
is specified in the PrincipalType:PrincipalName (user:dev@EXAMPLE.COM
) format. Specify user:* to indicate all principals.Principal
is a comma-separated list of principals. Specify*
to indicate all principals. (A principal is any entity that can be authenticated by the system, such as a user account, a thread or process running in the security context of a user account, or security groups of such accounts.)Operation
can be one of:READ
,WRITE
,CREATE
,DESCRIBE
, orALL
.Resource
is a topic name, a consumer group name, or the string “kafka-cluster” to indicate a cluster-level resource (only used with aCREATE
operation).Host
is the client host IP address. Specify*
to indicate all hosts.
Note | |
---|---|
For more information about ACL structure, including mappings between Operations values and Kafka protocol APIs, see the Apache KIP-11 Authorization Interface document. |