Simple ACL authorization

Learn how to configure Simple ACL authorization, ACL rules, and well as super users.

Configuring simple ACL

Learn how to enable and configure simple ACL authorization for Kafka.

Simple ACL authorization is enabled by setting spec.kafka.authorization.type to simple in your Kafka resource. Additionally, to manage user (client) access, you create KafkaUser resources that have a matching authorization type configured. KafkaUser resources configure authorization rules for users that require access to your cluster.

The following is an example Kafka resource with simple ACL and mTLS authentication enabled.

#...
kind: Kafka
metadata:
  name: my-cluster
spec:
  kafka:
    authorization:
      type: simple
    listeners:
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls

Following the configuration of the Kafka resource, you create KafkaUser resources, which define the access control rules for the users (clients) accessing Kafka. When creating a KafkUser resource for simple authorization, you set spec.authorization.type to simple (matching the authorization configuration of Kafka) Additionally, you define the rules for the user with the acls property. Each rule is defined as an array.

The following is a KafkaUser example configured for simple authorization that includes a few example rules.

#...
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operations:
          - Read
          - Describe
      - resource:
          type: topic
          name: "*"
          patternType: literal
        type: allow
        host: "*"
        operations:
          - Read
      - resource:
          type: group
          name: my-group
          patternType: prefix
        operations:
          - Read

Configuring ACL rules

Learn how to configure ACL rules for simple ACL authorization.

ACL rules are specified in the acls property of the KafkaUser resource.
#...
kind: KafkaUser
spec:
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: "*"
          patternType: literal
        type: allow
        host: "*"
        operations:
          - Read
The properties you use to define an ACL rule are as follows.
resource

The resource property specifies the Kafka resource that the rule applies to. Simple authorization supports the following resource types, which are specified in the type property.

  • topic
  • group
  • cluster
  • transactionalId

For topic, group, and transactionalID type resources you can specify the name of the resource that the rule applies to in the name property. Resources of the cluster type do not have a name.

The name of the resource is either a literal or a prefix. This is specified in the value of the patternType property which can be either literal or prefix.

  • Literal names (patterntype: literal) are interpreted as they are specified in name.
  • Prefix names (patterntype: prefix) treat the value specified in name as a prefix. The rule is applied to all resources that have names starting with the prefix.
The name property accepts an asterisk (*) as a value. If name is set to * and patternType is literal, the rule applies to all resources.
#...
- resource:
  type: topic
  name: *
  patternType: literal
type

The type property specifies the type of the rule. This is an optional property, the rule type is set to allow by default if it is not specified.

host
You use the hostproperty to restrict the rule to apply to a specified remote host. If set to *, the rule is applied to all hosts. This is an optional property, the default value is *.
operations
The operations property specifies a list of operations for the rule. Supported operations are Read, Write, Delete, Alter, Describe, All, IdempotentWrite, ClusterAction, Create, AlterConfigs, DescribeConfigs.

Some operations are not valid on some resources. See the Apache Kafka documentation for a comprehensive matrix regarding operations and their supported resources.

Configuring super users

In addition to creating users with KafkaUser resources that have specific access restrictions defined, you can choose to designate super users in your Kafka cluster. Super users have unlimited access, regardless of access restrictions.

To designate super users for a Kafka cluster, add a list of user principals to the spec.kafka.authorization.superUsers property in your Kafka resource.

#...
kind: Kafka
spec:
  kafka:
    authorization:
      type: simple
      superUsers:
        - CN=client_1
        - user_2
        - CN=client_3
    listeners:
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls

If a user uses mTLS authentication, the username is the common name from the TLS certificate subject prefixed with CN=. If you are not using the Strimzi User Operator and using your own certificates for mTLS, the username is the full certificate subject.

A full certificate subject can have the following fields.

CN=user,OU=my_ou,O=my_org,L=my_location,ST=my_state,C=my_country_code

Omit any fields that are not present.