Kafka ACLs are the primary means of controlling access in a Kafka cluster. They enable Kafka administrators to define who can read from or write to a Kafka topic, who can create topics, and who can manage the cluster, among other actions. Each ACL contains a principal, a permission type, an operation, a resource type (e.g., cluster, topic, or group), and name. Although StreamNative Cloud provides a fully compatible Kafka service at the protocol layer, it doesn’t support Kafka ACLs directly. Instead, it uses Pulsar ACLs to control access to Kafka topics. This document describes how to map Kafka ACLs to Pulsar ACLs and manage them on StreamNative Cloud.

Understand Pulsar & Kafka ACLs

Both Kafka and Pulsar have access control lists (ACLs) to control access to resources. You grant permissions to principals (users or service accounts) to perform actions on resources. Pulsar allows you to grant permissions to users or service accounts at the namespace level or topic level.
  • If you grant the permissions at the namespace level, then the permissions apply to all the topics under the namespace.
  • If you grant the permissions at the topic level, then the permissions apply to the specific topic.

Understand Pulsar & Kafka actions

Pulsar supports the following authorization actions:
  • produce
  • consume
  • functions
  • sources
  • sinks
  • packages
Kafka has ACL operations similar to Pulsar authorization actions:
  • READ
  • IDEMPOTENT_WRITE
  • WRITE
  • DESCRIBE
  • CREATE
  • DELETE
  • ALTER
  • DESCRIBE_CONFIGS
  • ANY
  • ALTER_CONFIGS
  • CLUSTER_ACTION
  • UNKNOWN
  • ALL
In Pulsar, you can use pulsar-admin topics grant-permission command to grant permissions to a topic. Here is an example on how to grant produce action to a topic: 
pulsar-admin topics grant-permission \
    --actions produce \
    --role alice \
    test-topic
Similarly, in Kafka, you can use kafka-acls.sh command to grant permissions to a topic. Here is an example on how to grant WRITE and CREATE operations to a topic: 
bin/kafka-acls.sh --bootstrap-server localhost:9092 \
  --add --allow-principal User:alice \
  --operation Write --operation Create --topic test-topic

Mapping between Kafka and Pulsar ACLs

Because StreamNative Cloud doesn’t support Kafka ACLs directly, you need to map Kafka ACLs to Pulsar authorization actions. Below table shows the mapping between Kafka ACL operations and Pulsar authorization actions.
StreamNative Cloud only supports the ‘produce’ and ‘consume’ actions for topics. The principal with Super Admin (also known as Super User) permission can perform all operations.
Kafka ACL OperationPulsar Authorization Action
READconsume
WRITEproduce
IDEMPOTENT_WRITEproduce
CREATESuper User
DELETESuper User
ALTERSuper User
DESCRIBEproduce or consume
DESCRIBE_CONFIGSproduce or consume
CLUSTER_ACTIONN/A
ALTER_CONFIGSN/A
UNKNOWNN/A
ALLSuper User
ANYSuper User

Managed Pulsar ACLs using pulsar-admin

You can use pulsar-admin CLI to manage the ACLs, for example, grant produce and consume actions to role (aka principal) test-role in test-tenant/namespace1 namespace. 
pulsar-admin namespaces grant-permission test-tenant/namespace1 \
    --actions produce,consume \
    --role test-role
Here is another example that you can grant permissions on a client role to perform specific actions on a given topic. 
pulsar-admin topics grant-permission \
    --actions produce,consume \
    --role test-role \
    persistent://test-tenant/namespace1/tp1
To learn more about how to manage Pulsar ACLs, see Manage Pulsar ACLs.