Authorization Examples
By default, if a principal does not have an explicit ACL that allows access for an operation to a resource, access requests from the principal will be denied.
The following examples show how to add, remove, and list ACLs.
Grant Read/Write Access to a Topic
To add the following ACL:
"Principals user:bob and user:alice are allowed to perform Operation Read and Write on Topic Test-Topic from Host1 and Host2"
run the CLI with the following options:
bin/kafka-acls.sh --add --allow-principal user:bob --allow-principal user:alice
--allow-host host1 --allow-host host2 --operation Read --operation
Write --topic test-topic
Grant Full Access to Topic, Cluster, and Consumer Group
To add ACLs to a topic, specify --topic <topic-name>
as the resource
option. Similarly, to add ACLs to cluster, specify --cluster
; to add ACLs to a
consumer group, specify --consumer-group <group-name>
.
The following examples grant full access for principal bob
to topic
test-topic
and consumer group 10
, across the cluster. Substitute
your own values for principal name, topic name, and group name.
bin/kafka-acls.sh --topic test-topic --add --allow-principal user:bob --operation
ALL --config /usr/hdp/current/kafka-broker/config/server.properties
bin/kafka-acls.sh --consumer-group 10 --add --allow-principal user:bob --operation
ALL --config /usr/hdp/current/kafka-broker/config/server.properties
bin/kafka-acls.sh --cluster --add --allow-principal user:bob --operation ALL
--config /usr/hdp/current/kafka-broker/config/server.properties
Add a Principal as Producer or Consumer
The most common use case for ACL management is to add or remove a principal as producer or consumer. The following convenience options handle these cases.
To add user:bob
as a producer of Test-topic, run the following
command:
bin/kafka-acls.sh --add --allow-principal user:bob --producer --topic
test-topic
Similarly, to add user:alice
as a consumer of test-topic
with
consumer group group-1
, pass the --consumer
option.
Note | |
---|---|
When using the consumer option you must specify the consumer group. |
bin/kafka-acls.sh --add --allow-principal user:alice --consumer --topic test-topic
--consumer-group group-1
Deny Access to a Principal
In rare cases you might want to define an ACL that allows access to all but one or more
principals. In this case, use the --deny-principal
and --deny-host
options.
For example, to allow all users to read from test-topic
except user bob
from host
bad-host
:
bin/kafka-acls.sh --add --allow-principal user:* --allow-host * --deny-principal
user:bob --deny-host bad-host --operation Read --topic
test-topic
Remove Access
Removing ACLs is similar to adding ACLs. The only difference is that you need to specify
the --remove
option instead of the --add
option.
To remove the ACLs for principals bob and alice (added in "Grant Read/Write Access to a Topic"), run the CLI with the following options:
bin/kafka-acls.sh --remove --allow-principal user:bob --allow-principal user:alice
--allow-host host1 --allow-host host2 --operation Read --operation
Write --topic test-topic
Similarly, to remove a principal from a producer or consumer role, specify the
--remove
option instead of --add
:
bin/kafka-acls.sh --remove --allow-principal user:bob --producer --topic
test-topic
List ACLs
To list ACLs for any resource, specify the --list
option with the resource.
For example, to list all ACLs for Test-topic, run the CLI with following options:
bin/kafka-acls.sh --list --topic test-topic
Configure Authorizer Settings
To specify which authorizer to use, include the --authorizer
option. For
example:
--authorizer kafka.security.auth.SimpleAclAuthorizer
...
To specify one or more authorizer initialization settings, include the --authorizer-properties option; for example:
--authorizer-properties zookeeper.connect=localhost:2181
...