Last active
December 29, 2019 03:04
-
-
Save kafagy/00ba5315c82e7c6ec2ec05cd56278aed to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## ACL Authorization | |
| # Create a test topic. | |
| kafka-topics --bootstrap-server zoo1:9092 --create --topic acl-test --partitions 1 --replication-factor 1 | |
| # On all three brokers, enable ACL authorization in server.properties. | |
| sudo vi /etc/kafka/server.properties | |
| # Add the following lines. | |
| authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer | |
| super.users=User:admin | |
| allow.everyone.if.no.acl.found=true | |
| ssl.principal.mapping.rules=RULE:^CN=(.*?),OU=.*$/$1/,DEFAULT | |
| # Restart Kafka, and check its status. | |
| sudo systemctl restart confluent-kafka | |
| sudo systemctl status confluent-kafka | |
| # Write some data to the topic. This should work since the topic has no ACLs and allow.everyone.if.no.acl.found is set to true. | |
| kafka-console-producer --broker-list zoo1:9093 --topic acl-test --producer.config client-ssl.properties | |
| # Add an ACL to allow otheruser to write to the topic. | |
| kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:otheruser --operation all --topic acl-test | |
| # Attempt to write to the topic again. This time it should fail, since the topic has an ACL but not one that allows kafkauser to write to it. | |
| kafka-console-producer --broker-list zoo1:9093 --topic acl-test --producer.config client-ssl.properties | |
| # Create an ACL allowing kafkauser to write to the acl-test topic. | |
| kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:kafkauser --operation write --topic acl-test | |
| # Attempt to write to the topic once more. This time it should succeed. | |
| kafka-console-producer --broker-list zoo1:9093 --topic acl-test --producer.config client-ssl.properties | |
| ## More Examples | |
| # Creates the ACL for user kafkauser to read and write to and from a topic | |
| kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:kafkauser --operation read --operation write --topic inventory_purchases | |
| # Lists the ACLs for a specific topic | |
| kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --topic member_signups --list | |
| # Removes all existing ACLs for a topic. | |
| kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --topic member_signups --remove | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment