Differences with Kafka ACLs in KSN

Kafka ACLs are the primary means of controlling access in a Kafka cluster. They enable Kafka administrators to define who can read from or write to a Kafka topic, who can create topics, and who can manage the cluster, among other actions. Each ACL contains a principal, a permission type, an operation, a resource type (e.g., cluster, topic, or group), and name.

Apache Pulsar also has ACLs. Users need to use the grant-permission API for ACLs like produce, consume, source, sink, and admin. Since KSN is an Apache Pulsar protocol handler plugin, it reuses the Apache Pulsar's ACLs and maps it to Kafka ACLs.

Differences with Kafka ACLs in KSN

Both Kafka and KSN have roles. Each role has corresponding actions. Pulsar allows you to grant namespace-level or topic-level permission to users.

  • If you grant namespace-level permission to a user, then the user can access all the topics under the namespace.
  • If you grant topic-level permission to a user, then the user can access only the topic.

Pulsar authorization has actions bellow:

  • produce
  • consume
  • functions
  • sources
  • sinks
  • packages

Kafka has ACL operations similar to Pulsar actions:

  • READ
  • IDEMPOTENT_WRITE
  • WRITE
  • DESCRIBE
  • CREATE
  • DELETE
  • ALTER
  • DESCRIBE_CONFIGS
  • ANY
  • ALTER_CONFIGS
  • CLUSTER_ACTION
  • UNKNOWN
  • ALL

For example, in Pulsar, if you want to grant produce actions to a topic, you should use the below command:

pulsar-admin topics grant-permission \
    --actions produce \
    --role alice \
    test-topic

In Kafka it should be:

bin/kafka-acls.sh --bootstrap-server localhost:9092 \
  --add --allow-principal User:alice \
  --operation Write --operation Create --topic test-topic

Mapping Kafka ACL to Pulsar authorization action:

Note

In KSN, we only support the 'produce' and 'consume' actions. The superuser can perform all operations, while the tenant admin is currently not supported.

Kafka ACL OperationPulsar Authorization Action
READconsume
WRITEproduce
IDEMPOTENT_WRITEproduce
CREATESuper user
DELETESuper user
ALTERSuper user
DESCRIBEproduce or consume
DESCRIBE_CONFIGSproduce or consume
CLUSTER_ACTION
ALTER_CONFIGS
UNKNOWN
ALL
ANY

How to manage authorization using Apache Pulsar admin CLI

In KSN, we can use Admin CLI to manage the ACL, for example, grant produce and consume

actions to role test-role in test-tenant/namespace1 namespace.

pulsar-admin namespaces grant-permission test-tenant/namespace1 \
    --actions produce,consume \
    --role test-role

Or you can grant permissions on a client role to perform specific actions on a given topic in the following ways.

pulsar-admin topics grant-permission \
    --actions produce,consume \
    --role test-role \
    persistent://test-tenant/namespace1/tp1

To use StreamNative Cloud Console to manage the Authorization and ACL, see: Authorization and ACL for more details.

Previous
Test KSN as code