Kafka ACL APIs support in Ranger
Kafka ACL operations in Ranger
Background
Kafka supports various ACL operations, such as APIs like createAcls,
deleteAcls, acls, and
authorizeByResourceType. However, when Ranger is enabled, Kafka does
not support:
- grant and revoke of policies on Kafka resources
- list the resources ACLs based on Ranger policies
- check the ACLs on resources
RangerKafkaAuthorizer includes ACL APIs that refer to Ranger Policies when these commands are executed. Ranger relies on the grant, revoke and policy engine APIs to cater the needed functionality.
Reference Commands
- List acl
-
kafka-acls --bootstrap-server rm-718ssl-1.rm-718ssl.root.hwx.site:9093 --command-config /kafkatest/kafka-client.conf --list --topic connect-configs
- Create acl
-
kafka-acls --bootstrap-server rm-718ssl-1.rm-718ssl.root.hwx.site:9093 --command-config /kafkatest/kafka-client.conf --add --allow-principal User:testuser1 --operation read --topic finance-topic - Revoke acl
-
kafka-acls --bootstrap-server rm-718ssl-1.rm-718ssl.root.hwx.site:9093 --command-config /kafkatest/kafka-client.conf --remove --allow-principal Group:mysql -operation read --topic finance-topic
