Community Articles

Find and share helpful community-sourced technical articles.
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)
Rising Star

It is known that in a secure Kafka environment, we need to explicitly authorize user/principal to either read/write to a Kafka topic as shown below

Grant Read/Write Access to a Topic

To add the following ACL:

"Principals user:bob and user:alice are allowed to perform Operation Read and Write on Topic Test-Topic from Host1 and Host2"

run the CLI with the following options:

bin/ --add --allow-principal <strong><em>User</em></strong>:bob --allow-principal User:alice --allow-host host1 --allow-host host2 --operation Read --operation Write --topic test-topic

Grant Full Access to Topic, Cluster, and Consumer Group

To add ACLs to a topic, specify --topic <topic-name> as the resource option. Similarly, to add ACLs to cluster, specify --cluster; to add ACLs to a consumer group, specify --consumer-group <group-name>.

The following examples grant full access for principal bob to topic test-topic and consumer group 10, across the cluster. Substitute your own values for principal name, topic name, and group name.

bin/ --topic test-topic --add --allow-principal <strong><em>user</em></strong>:bob --operation ALL --config /usr/hdp/current/kafka-broker/config/



We see that the keyword, "user" is inconsistent across the commands leading to improper authorizations getting effected.


Usage of keyword, "User" is case sensitive and it is dependent on the version of Kafka that is being used,

Apache Kafka 0.8.2 makes it necessary to use the keyword "User" and

Apache Kafka 0.9 onwards, keyword "user" needs to be used for authorizations.


Probably better remove link to Hortonwroks Jira?

Rising Star

Thank you, removed it.