ZooKeeper ACLs Best Practices: Kafka

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for Kafka when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /controller - Kafka Znode for controller leader election

    • /cluster - Contains a unique id for the Kafka cluster

    • /brokers - Kafka Znode for broker metadata

    • /kafka-acl - Kafka ZNode for SimpleAclAuthorizer ACL storage

    • /admin - Kafka admin tool metadata

    • /isr_change_notification - Track changes to In Sync Replication

    • /log_dir_event_notification - Node for the broker to notify the controller about log dir events like disk failure

    • /delegation_token - Znode for storing delegation tokens

    • /controller_epoch - Track movement of controller

    • /consumers - Kafka Consumer list

    • /config - Entity configuration

  • Default ACLs:

    • /controller - world:anyone:cdrwa

    • /cluster - world:anyone:cdrwa

    • /brokers - world:anyone:cdrwa

    • /kafka-acl - world:anyone:cdrwa

    • /admin - world:anyone:cdrwa

    • /isr_change_notification - world:anyone:cdrwa

    • /log_dir_event_notification -world:anyone:cdrwa

    • /delegation_token - world:anyone:cdrwa

    • /controller_epoch - world:anyone:cdrwa

    • /consumers - world:anyone:cdrwa

    • /config - world:anyone:cdrwa

  • Security Best Practice ACLs/Permissions and Required Steps:

    • /controller - sasl:kafka:cdrwa

    • /cluster - sasl:kafka:cdrwa

    • /brokers - sasl:kafka:cdrwa

    • /kafka-acl - sasl:kafka:cdrwa

    • /admin - sasl:kafka:cdrwa

    • /isr_change_notification - sasl:kafka:cdrwa

    • /log_dir_event_notification -sasl:kafka:cdrwa

    • /delegation_token - sasl:kafka:cdrwa

    • /controller_epoch - sasl:kafka:cdrwa

    • /consumers - sasl:kafka:cdrwa

    • /config - sasl:kafka:cdrwa

In a secure Kafka cluster Cloudera recommends that the Enable Zookeeper ACL (zookeeper.set.acl) property is set to true. You can configure this property in Cloudera Manager by going to Kafka > Configuration. Once the property is set to true, run the zookeeper-security-migration tool with the zookeeper.acl option set to secure. Finally, reset the ACLs on the root node to allow full access.

For more information, see Kafka security hardening with Zookeeper ACLs.