Kafka Authorization Using ACLs

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

Kafka provides the ability to exercise granular control over access to objects and operations within the cluster through the use of ACLs. In this hands-on lab, you will have the opportunity to work with ACLs in Kafka by making some changes to an existing cluster in order to provide access to a new user. This will give you a hands-on introduction to the use of ACLs to manage authorization in Kafka.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Add an ACL to Give `kafkauser` Read and Write Access to the `inventory_purchases` Topic
  1. Create the ACL.

    kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:kafkauser --operation read --operation write --topic inventory_purchases
  2. Verify that the read access works by consuming from the topic.

    kafka-console-consumer --bootstrap-server zoo1:9093 --topic inventory_purchases --from-beginning --consumer.config client-ssl.properties
  3. Verify that the write access works by writing data to the topic.

    kafka-console-producer --broker-list zoo1:9093 --topic inventory_purchases --producer.config client-ssl.properties
Remove All Existing ACLs for the `member_signups` Topic
  1. List the ACLs for the topic.

    kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --topic member_signups --list
  2. Remove the existing ACL for the topic.

    kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --topic member_signups --remove
  3. Verify that you can read from the topic as kafkauser.

    kafka-console-consumer --bootstrap-server zoo1:9093 --topic member_signups --from-beginning --consumer.config client-ssl.properties

Additional Resources

Your supermarket company is using client authentication and ACLs in order to manage access to a Kafka cluster. They have ACLs configured for some existing topics but due to new requirements, some changes need to be made in order to allow access for a new client user called kafkauser. Note that allow.everyone.if.no.acl.found is set to true for this cluster.

Implement the following authorization changes to the cluster:

  • Provide kafkauser with read and write access to the inventory_purchases topic
  • Remove all existing ACLs for the member_signups topic to allow access to all users, including kafkauser

There is a client configuration file on the server located at /home/cloud_user/client-ssl.properties. This configuration will allow you to authenticate as kafkauser.

If you get stuck, feel free to check out the solution video, or the detailed instructions under each objective. Good luck!

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?