Simple ACL authorization
Learn how to configure Simple ACL authorization, ACL rules, and well as super users.
Configuring simple ACL
Learn how to enable and configure simple ACL authorization for Kafka.
Simple ACL authorization is enabled by setting spec.kafka.authorization.type
to simple
in your Kafka resource. Additionally, to manage
user (client) access, you create KafkaUser resources that have a matching
authorization type configured. KafkaUser resources configure authorization
rules for users that require access to your cluster.
The following is an example Kafka resource with simple ACL and mTLS authentication enabled.
#...
kind: Kafka
metadata:
name: my-cluster
spec:
kafka:
authorization:
type: simple
listeners:
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
Following the configuration of the Kafka resource, you create
KafkaUser resources, which define the access control rules for the users
(clients) accessing Kafka. When creating a KafkUser resource for simple
authorization, you set spec.authorization.type
to simple
(matching the authorization configuration of Kafka) Additionally, you define the rules for the
user with the acls
property. Each rule is defined as an array.
The following is a KafkaUser example configured for simple authorization that includes a few example rules.
#...
kind: KafkaUser
metadata:
name: my-user
labels:
strimzi.io/cluster: my-cluster
spec:
authorization:
type: simple
acls:
- resource:
type: topic
name: my-topic
patternType: literal
operations:
- Read
- Describe
- resource:
type: topic
name: "*"
patternType: literal
type: allow
host: "*"
operations:
- Read
- resource:
type: group
name: my-group
patternType: prefix
operations:
- Read
Configuring ACL rules
Learn how to configure ACL rules for simple ACL authorization.
acls
property of the
KafkaUser resource. #...
kind: KafkaUser
spec:
authorization:
type: simple
acls:
- resource:
type: topic
name: "*"
patternType: literal
type: allow
host: "*"
operations:
- Read
The properties you use to define an ACL rule are as follows.- resource
-
The
resource
property specifies the Kafka resource that the rule applies to. Simple authorization supports the following resource types, which are specified in thetype
property.topic
group
cluster
transactionalId
For
topic
,group
, andtransactionalID
type resources you can specify the name of the resource that the rule applies to in thename
property. Resources of thecluster
type do not have a name.The name of the resource is either a literal or a prefix. This is specified in the value of the
patternType
property which can be eitherliteral
orprefix
.- Literal names (
patterntype: literal
) are interpreted as they are specified inname
. - Prefix names (
patterntype: prefix
) treat the value specified inname
as a prefix. The rule is applied to all resources that have names starting with the prefix.
Thename
property accepts an asterisk (*
) as a value. Ifname
is set to*
andpatternType
isliteral
, the rule applies to all resources.#... - resource: type: topic name: * patternType: literal
- type
-
The
type
property specifies the type of the rule. This is an optional property, the rule type is set toallow
by default if it is not specified. - host
- You use the
host
property to restrict the rule to apply to a specified remote host. If set to *, the rule is applied to all hosts. This is an optional property, the default value is *. - operations
- The
operations
property specifies a list of operations for the rule. Supported operations areRead
,Write
,Delete
,Alter
,Describe
,All
,IdempotentWrite
,ClusterAction
,Create
,AlterConfigs
,DescribeConfigs
.Some operations are not valid on some resources. See the Apache Kafka documentation for a comprehensive matrix regarding operations and their supported resources.
Configuring super users
In addition to creating users with KafkaUser resources that have specific access restrictions defined, you can choose to designate super users in your Kafka cluster. Super users have unlimited access, regardless of access restrictions.
To designate super users for a Kafka cluster, add a list of user principals to the
spec.kafka.authorization.superUsers
property in your Kafka
resource.
#...
kind: Kafka
spec:
kafka:
authorization:
type: simple
superUsers:
- CN=client_1
- user_2
- CN=client_3
listeners:
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
If a user uses mTLS authentication, the username is the common name from the TLS certificate
subject prefixed with CN=
. If you are not using the Strimzi User Operator and
using your own certificates for mTLS, the username is the full certificate subject.
A full certificate subject can have the following fields.
CN=user,OU=my_ou,O=my_org,L=my_location,ST=my_state,C=my_country_code
Omit any fields that are not present.