Skip to main content
Quick navigation

ACLs

Introduction

info

As of the Gateway 3.1.0, the ACLs activation has been moved from the ACLs interceptor to the Gateway configuration.

Like in Kafka, you can define ACLs on the Gateway to restrict your applications access. This implies that the authentication is made on Gateway, and that you are not using a delegated mode.

Super Users

In order to create and manipulate ACLs, you have to define one of your application principal as super user.

To do so, you can add this principal to the environment variable GATEWAY_ADMIN_API_USERS in the Gateway configuration.

Example:

GATEWAY_ADMIN_API_USERS: "[{username: admin, password: conduktor, admin: true}, {username: super-admin, password: whatever, admin: true}]"

If the application principal is a bit complex (like UUID), you can use the Gateway user-mapping to map the principal to a simpler username.

As of now, you can create ACLs using the Conduktor Console or the Kafka CLI, using the credentials of the super user.

Delegate the ACLs management to a user

Defining a super user gives it the permissions to manage the ACLs, but also a full access to all the Kafka resources. If you'd like to, you can create a delegated admin user (which is not a super user) in order to assign ACLs only.

To do so, the only set of permissions the super user has to give to the delegated admin are the Alter and Describe on cluster.

Here is an example of command:

kafka-acls --bootstrap-server conduktor-gateway:6969 \
--command-config super-admin.properties \
--add \
--allow-principal User:delegated-admin --allow-host '*' \
--operation Alter --operation Describe --cluster

After having turned on the ACLs interceptor, the delegated admin will be able to manage other users ACLs.

ACLs Activation

To activate the ACLs, you need to add the following environment variable to your Gateway configuration:

Environment VariableDefaultDescription
GATEWAY_ACL_ENABLEDfalseEnable or disable the ACLs on the passthrough only
GATEWAY_ACL_STORE_ENABLEDfalseEnable or disable the ACLs only on virtual cluster, excluding passthrough

ACLs Creation

You can now create ACLs using either the Conduktor Console, or the Kafka CLI.

For example, you can run the following command line to list the ACLs on the Gateway:

kafka-acls \
--bootstrap-server conduktor-gateway:6969 \
--command-config super-admin.properties \
--list

And as the delegated admin, for instance, you can give visibility to all the topics to a user alice:

kafka-acls \
--bootstrap-server conduktor-gateway:6969 \
--command-config delegated-admin.properties \
--add \
--allow-principal User:alice --allow-host * \
--operation All --topic *