Community Articles

This Video Describes how Kafka ACLs work in HDP. This method is not supported in CDP7, please investigate Ranger Authorization for ACLs in CDP.

Open the video on YouTube here

Apache Kafka comes with an authorizer implementation that uses ZooKeeper to store all the ACLs. The ACLs have to be set because the access to resources is limited to super users when an authorizer is configured. By default, if a resource has no associated ACLs, then no one is allowed to access the resource, except super users.

The following are the main ACL commands:

Add ACLs:

bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<zkHost>:<zkPort> --add 
--allow-principal User:<username> --operation All --topic <topicName> --group=*

In the above command, ACLs are added to allow a principal to have All operations available over the topic specified. The following are the available operations:

• Read
• Write
• Create
• Delete
• Alter
• Describe
• ClusterAction
• DescribeConfigs
• AlterConfigs
• IdempotentWrite
• All

When using --group=*, it means that all groups are allowed to be created by this user when running a Kafka consumer.

The following is the command to list ACLs:

bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<zkHost>:<zkPort> --list

In the above command, the available ACLs are listed for the Kafka cluster using --list.

More details about ACLs options available in the following references:

• Authorization and ACLs
• ACLs command line interface