Kafkadevops~5 mins

ACL-based authorization in Kafka - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Kafka ACL-based authorization controls who can read, write, or manage Kafka resources. It helps keep your Kafka data safe by allowing only trusted users to perform specific actions.

When you want to allow only certain users to produce messages to a topic.

When you want to restrict who can consume messages from a topic.

When you need to control who can create or delete topics.

When you want to secure Kafka clusters in a multi-tenant environment.

When you want to audit and manage permissions centrally.

Config File - server.properties

server.properties

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin

# Enable ACLs
allow.everyone.if.no.acl.found=false

# Enable SASL for authentication
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
listeners=SASL_PLAINTEXT://:9092
sasl.enabled.mechanisms=PLAIN

This configuration enables ACL-based authorization using Kafka's SimpleAclAuthorizer.

authorizer.class.name: Enables ACL checks.

super.users: Defines admin users who bypass ACLs.

allow.everyone.if.no.acl.found: Denies access if no ACL is found.

security.inter.broker.protocol and related settings enable SASL authentication for secure communication.

Commands

This command adds an ACL to allow user 'alice' to read messages from the topic 'my-topic'.

Terminal

kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:alice --operation Read --topic my-topic

Expected OutputExpected

Added ACLs for resource `Topic:my-topic` for principal User:alice

→

--add - Add a new ACL rule

→

--allow-principal - Specify the user allowed

→

--operation - Specify the allowed action

This command lists all ACLs set on the topic 'my-topic' so you can verify permissions.

Terminal

kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --list --topic my-topic

Expected OutputExpected

Current ACLs for resource `Topic:my-topic`: User:alice has Read permission

→

--list - List existing ACLs

→

--topic - Specify the topic to check

This command removes the ACL that allowed user 'alice' to read from 'my-topic'.

Terminal

kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --remove --allow-principal User:alice --operation Read --topic my-topic

Expected OutputExpected

Removed ACLs for resource `Topic:my-topic` for principal User:alice

→

--remove - Remove an existing ACL rule

→

--allow-principal - Specify the user to remove permission for

→

--operation - Specify the action to remove

Key Concept

If you remember nothing else from this pattern, remember: ACLs explicitly grant or deny user permissions on Kafka resources to secure access.

Common Mistakes

Not specifying the correct principal format like User:username

Kafka requires the principal to be in the format User:username to match ACLs correctly.

Always use the full principal format, for example, User:alice.

Forgetting to enable the authorizer.class.name in server.properties

Without enabling the authorizer, Kafka ignores ACLs and allows all access.

Set authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer in server.properties.

Using --add without specifying the resource like --topic or --group

Kafka needs to know which resource the ACL applies to; missing this causes errors.

Always specify the resource with flags like --topic my-topic or --group my-group.

Summary

Configure Kafka server.properties to enable ACL-based authorization and authentication.

Use kafka-acls CLI commands to add, list, and remove ACLs for users on topics.

Always specify the full principal and resource when managing ACLs to avoid errors.