1. Build Applications
  2. Kafka Clients

Kafka ACLs on StreamNative Cloud

Kafka ACLs are the primary means of controlling access in a Kafka cluster. They enable Kafka administrators to define who can read from or write to a Kafka topic, who can create topics, and who can manage the cluster, among other actions. Each ACL contains a principal, a permission type, an operation, a resource type (e.g., cluster, topic, or group), and name.

Apache Pulsar also has ACLs. Users need to use the grant-permission API for ACLs like produce, consume, source, sink, and admin. Since Ursa evolved from Apache Pulsar and supports both Apache Pulsar and Kafka, it reuses Apache Pulsar's ACLs and maps them to Kafka ACLs.

Understand Kafka ACLs on StreamNative Cloud

Both Kafka and Pulsar have roles. Each role has corresponding actions. Pulsar allows you to grant namespace-level or topic-level permission to users.

  • If you grant namespace-level permission to a user, then the user can access all the topics under the namespace.
  • If you grant topic-level permission to a user, then the user can access only the topic.

Pulsar authorization has actions bellow:

  • produce
  • consume
  • functions
  • sources
  • sinks
  • packages

Kafka has ACL operations similar to Pulsar actions:

  • READ
  • IDEMPOTENT_WRITE
  • WRITE
  • DESCRIBE
  • CREATE
  • DELETE
  • ALTER
  • DESCRIBE_CONFIGS
  • ANY
  • ALTER_CONFIGS
  • CLUSTER_ACTION
  • UNKNOWN
  • ALL

For example, in Pulsar, if you want to grant produce actions to a topic, you should use the below command:

pulsar-admin topics grant-permission \
    --actions produce \
    --role alice \
    test-topic

In Kafka it should be:

bin/kafka-acls.sh --bootstrap-server localhost:9092 \
  --add --allow-principal User:alice \
  --operation Write --operation Create --topic test-topic

Mapping Kafka ACL to Pulsar authorization action:

Note

StreamNative Cloud only supports the 'produce' and 'consume' actions. The superuser can perform all operations, while the tenant admin is currently not supported.

Kafka ACL OperationPulsar Authorization Action
READconsume
WRITEproduce
IDEMPOTENT_WRITEproduce
CREATESuper user
DELETESuper user
ALTERSuper user
DESCRIBEproduce or consume
DESCRIBE_CONFIGSproduce or consume
CLUSTER_ACTION
ALTER_CONFIGS
UNKNOWN
ALL
ANY

How to manage authorization using Apache Pulsar admin CLI

On StreamNative Cloud, you can use Pulsar Admin CLI to manage the ACL, for example, grant produce and consume actions to role test-role in test-tenant/namespace1 namespace.

pulsar-admin namespaces grant-permission test-tenant/namespace1 \
    --actions produce,consume \
    --role test-role

Or you can grant permissions on a client role to perform specific actions on a given topic in the following ways.

pulsar-admin topics grant-permission \
    --actions produce,consume \
    --role test-role \
    persistent://test-tenant/namespace1/tp1

To use StreamNative Cloud Console to manage the Authorization and ACL, see Access Control for more details.

Previous
Test Ursa as code