Security
Also available as:
PDF

Authorizing Access when Kerberos is Enabled

Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses ZooKeeper to store Access Control Lists (ACLs). Authorization can be done via Ranger (see the Kafka section of the Ranger Install Guide) or with native ACLs.

A Kafka ACL entry has the following general format:

Principal P is [Allowed/Denied] Operation O From Host H On Resource R

where

  • A principal is any entity that can be authenticated by the system, such as a user account, a thread or process running in the security context of a user account, or security groups of such accounts. Principal is specified in the PrincipalType:PrincipalName (user:dev@EXAMPLE.COM) format. Specify user:* to indicate all principals.

    Principal is a comma-separated list of principals. Specify * to indicate all principals. (A principal is any entity that can be authenticated by the system, such as a user account, a thread or process running in the security context of a user account, or security groups of such accounts.)

  • Operation can be one of: READ, WRITE, CREATE, DESCRIBE, or ALL.

  • Resource is a topic name, a consumer group name, or the string “kafka-cluster” to indicate a cluster-level resource (only used with a CREATE operation).

  • Host is the client host IP address. Specify * to indicate all hosts.

[Note]Note

For more information about ACL structure, including mappings between Operations values and Kafka protocol APIs, see the Apache KIP-11 Authorization Interface document.