> ## Documentation Index
> Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Managed Kafka ACLs

Kafka ACLs are the primary means of controlling access in a Kafka cluster. They enable Kafka administrators to define who can read from or write to a Kafka topic, who can create topics, and who can manage the cluster, among other actions. Each ACL contains a principal, a permission type, an operation, a resource type (e.g., cluster, topic, or group), and name.

Although StreamNative Cloud provides a fully compatible Kafka service at the protocol layer, it doesn't support Kafka ACLs directly. Instead, it uses Pulsar ACLs to control access to Kafka topics. This document describes how to map Kafka ACLs to [Pulsar ACLs](/cloud/security/access/access-control-lists/authorization-and-acls) and manage them on StreamNative Cloud.

## Understand Pulsar & Kafka ACLs

Both Kafka and Pulsar have access control lists (ACLs) to control access to resources. You grant permissions to principals (users or service accounts) to perform actions on resources.

Pulsar allows you to grant permissions to users or service accounts at the namespace level or topic level.

* If you grant the permissions at the namespace level, then the permissions apply to all the topics under the namespace.
* If you grant the permissions at the topic level, then the permissions apply to the specific topic.

### Understand Pulsar & Kafka actions

Pulsar supports the following authorization actions:

* produce
* consume
* functions
* sources
* sinks
* packages

Kafka has ACL operations similar to Pulsar authorization actions:

* READ
* IDEMPOTENT\_WRITE
* WRITE
* DESCRIBE
* CREATE
* DELETE
* ALTER
* DESCRIBE\_CONFIGS
* ANY
* ALTER\_CONFIGS
* CLUSTER\_ACTION
* UNKNOWN
* ALL

In Pulsar, you can use `pulsar-admin topics grant-permission` command to grant permissions to a topic. Here is an example on how to grant `produce` action to a topic:

```bash theme={null}
pulsar-admin topics grant-permission \
    --actions produce \
    --role alice \
    test-topic
```

Similarly, in Kafka, you can use `kafka-acls.sh` command to grant permissions to a topic. Here is an example on how to grant `WRITE` and `CREATE` operations to a topic:

```bash theme={null}
bin/kafka-acls.sh --bootstrap-server localhost:9092 \
  --add --allow-principal User:alice \
  --operation Write --operation Create --topic test-topic
```

## Mapping between Kafka and Pulsar ACLs

Because StreamNative Cloud doesn't support Kafka ACLs directly, you need to map Kafka ACLs to Pulsar authorization actions. Below table shows the mapping between Kafka ACL operations and Pulsar authorization actions.

<Note title="Note">
  StreamNative Cloud only supports the 'produce' and 'consume' actions for topics. The principal with **Super Admin** (also known as **Super User**) permission can perform all operations.
</Note>

| Kafka ACL Operation | Pulsar Authorization Action |
| ------------------- | --------------------------- |
| READ                | `consume`                   |
| WRITE               | `produce`                   |
| IDEMPOTENT\_WRITE   | `produce`                   |
| CREATE              | Super User                  |
| DELETE              | Super User                  |
| ALTER               | Super User                  |
| DESCRIBE            | `produce` or `consume`      |
| DESCRIBE\_CONFIGS   | `produce` or `consume`      |
| CLUSTER\_ACTION     | N/A                         |
| ALTER\_CONFIGS      | N/A                         |
| UNKNOWN             | N/A                         |
| ALL                 | Super User                  |
| ANY                 | Super User                  |

## Managed Pulsar ACLs using `pulsar-admin`

You can use `pulsar-admin` CLI to manage the ACLs, for example, grant `produce` and `consume` actions to role (aka principal) `test-role` in `test-tenant/namespace1` namespace.

```Bash theme={null}
pulsar-admin namespaces grant-permission test-tenant/namespace1 \
    --actions produce,consume \
    --role test-role
```

Here is another example that you can grant permissions on a client role to perform specific actions on a given topic.

```Bash theme={null}
pulsar-admin topics grant-permission \
    --actions produce,consume \
    --role test-role \
    persistent://test-tenant/namespace1/tp1
```

To learn more about how to manage Pulsar ACLs, see [Manage Pulsar ACLs](/cloud/security/access/access-control-lists/authorization-and-acls).