0
0
KafkaHow-ToBeginner · 4 min read

How to Use ACL in Kafka for Access Control

To use ACL in Kafka, enable authorization in the broker configuration and define access control rules using the kafka-acls.sh tool. ACLs specify which users can perform actions like READ, WRITE, or CREATE on Kafka resources such as topics or consumer groups.
📐

Syntax

The kafka-acls.sh command manages ACLs in Kafka. The basic syntax to add an ACL is:

  • --add: Adds a new ACL rule.
  • --allow-principal: Specifies the user or principal allowed.
  • --operation: Defines the action allowed (e.g., READ, WRITE, CREATE).
  • --topic, --group, or --cluster: Specifies the Kafka resource.

Example syntax:

kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 \
  --add --allow-principal User:Alice --operation READ --topic my-topic
bash
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 \
  --add --allow-principal User:Alice --operation READ --topic my-topic
💻

Example

This example shows how to enable ACLs on the Kafka broker and add a rule allowing user Alice to read from topic my-topic.

First, enable authorization in server.properties:

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=false

Then restart Kafka. Next, add the ACL:

bash
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 \
  --add --allow-principal User:Alice --operation READ --topic my-topic
Output
Added ACLs for resource `Topic:my-topic` with operation `Read` for principal `User:Alice`.
⚠️

Common Pitfalls

  • Not enabling authorizer.class.name in broker config disables ACL enforcement.
  • Using incorrect principal format (must be User:username).
  • Forgetting to specify the correct resource type (topic, group, cluster).
  • Assuming ACLs apply immediately without restarting Kafka after config changes.

Wrong example (missing principal prefix):

kafka-acls.sh --add --allow-principal Alice --operation READ --topic my-topic

Correct example:

kafka-acls.sh --add --allow-principal User:Alice --operation READ --topic my-topic
bash
kafka-acls.sh --add --allow-principal Alice --operation READ --topic my-topic

# Corrected:
kafka-acls.sh --add --allow-principal User:Alice --operation READ --topic my-topic
📊

Quick Reference

Command OptionDescription
--addAdd a new ACL rule
--removeRemove an existing ACL rule
--allow-principalSpecify the user allowed (format: User:)
--deny-principalSpecify the user denied
--operationAction allowed or denied (READ, WRITE, CREATE, DELETE, etc.)
--topicTarget topic resource
--groupTarget consumer group resource
--clusterTarget cluster resource
--authorizer-propertiesProperties to connect to Zookeeper or Kafka for ACL management

Key Takeaways

Enable authorization in Kafka broker config to activate ACL enforcement.
Use the kafka-acls.sh tool with correct principal and resource syntax to manage ACLs.
Always specify the principal as User: to avoid errors.
Restart Kafka after changing authorization settings for ACLs to take effect.
Test ACLs by attempting actions with allowed and disallowed users to verify permissions.

Related by keyword

How to Use Confluent Control Center in Kafka for MonitoringAdministrationHow to Start Kafka Server: Simple Steps to Run Apache KafkaGetting StartedHow to Use kafka-topics Command in Apache KafkaTopic ManagementHow to Scale Kafka Cluster: Simple Steps to Grow Your Kafka SetupAdministrationHow to Install Kafka: Step-by-Step Guide for BeginnersGetting Started

Up next

How to Use Kafka Manager: Setup and Basic OperationsWhat is min.insync.replicas in Kafka and How It WorksHow to Configure Kafka Consumer in Spring BootHow to Configure Kafka Producer in Spring Boot

More in Security

How to Configure Authentication in Kafka: Simple StepsHow to Enable SASL Authentication in Apache KafkaHow to Enable SSL in Kafka for Secure CommunicationHow to Encrypt Data in Kafka: Simple Steps and Examples