- Build Applications
- Kafka Clients
Kafka ACLs on StreamNative Cloud
Kafka ACLs are the primary means of controlling access in a Kafka cluster. They enable Kafka administrators to define who can read from or write to a Kafka topic, who can create topics, and who can manage the cluster, among other actions. Each ACL contains a principal, a permission type, an operation, a resource type (e.g., cluster, topic, or group), and name.
Apache Pulsar also has ACLs. Users need to use the grant-permission API for ACLs like produce, consume, source, sink, and admin. Since Ursa evolved from Apache Pulsar and supports both Apache Pulsar and Kafka, it reuses Apache Pulsar's ACLs and maps them to Kafka ACLs.
Understand Kafka ACLs on StreamNative Cloud
Both Kafka and Pulsar have roles. Each role has corresponding actions. Pulsar allows you to grant namespace-level or topic-level permission to users.
- If you grant namespace-level permission to a user, then the user can access all the topics under the namespace.
- If you grant topic-level permission to a user, then the user can access only the topic.
Pulsar authorization has actions bellow:
- produce
- consume
- functions
- sources
- sinks
- packages
Kafka has ACL operations similar to Pulsar actions:
- READ
- IDEMPOTENT_WRITE
- WRITE
- DESCRIBE
- CREATE
- DELETE
- ALTER
- DESCRIBE_CONFIGS
- ANY
- ALTER_CONFIGS
- CLUSTER_ACTION
- UNKNOWN
- ALL
For example, in Pulsar, if you want to grant produce actions to a topic, you should use the below command:
pulsar-admin topics grant-permission \
--actions produce \
--role alice \
test-topic
In Kafka it should be:
bin/kafka-acls.sh --bootstrap-server localhost:9092 \
--add --allow-principal User:alice \
--operation Write --operation Create --topic test-topic
Mapping Kafka ACL to Pulsar authorization action:
Note
StreamNative Cloud only supports the 'produce' and 'consume' actions. The superuser can perform all operations, while the tenant admin is currently not supported.
| Kafka ACL Operation | Pulsar Authorization Action |
|---|---|
| READ | consume |
| WRITE | produce |
| IDEMPOTENT_WRITE | produce |
| CREATE | Super user |
| DELETE | Super user |
| ALTER | Super user |
| DESCRIBE | produce or consume |
| DESCRIBE_CONFIGS | produce or consume |
| CLUSTER_ACTION | |
| ALTER_CONFIGS | |
| UNKNOWN | |
| ALL | |
| ANY |
How to manage authorization using Apache Pulsar admin CLI
On StreamNative Cloud, you can use Pulsar Admin CLI to manage the ACL, for example, grant produce and consume actions to role test-role in test-tenant/namespace1 namespace.
pulsar-admin namespaces grant-permission test-tenant/namespace1 \
--actions produce,consume \
--role test-role
Or you can grant permissions on a client role to perform specific actions on a given topic in the following ways.
pulsar-admin topics grant-permission \
--actions produce,consume \
--role test-role \
persistent://test-tenant/namespace1/tp1
To use StreamNative Cloud Console to manage the Authorization and ACL, see Access Control for more details.