ACLs
Introduction
Like in Kafka, you can define ACLs on the Gateway to restrict your applications access. This implies that the authentication is made on Gateway, and that you are not using a delegated mode. This interceptor is made to activate these ACLs.
This interceptor is not supported anymore, as of Gateway 3.1.0. If you are using a more recent version, please refer to this page.
Super Users
In order to create and manipulate ACLs, you have to define one of your application principal as super user.
To do so, you can add this principal to the environment variable GATEWAY_ADMIN_API_USERS
in the Gateway configuration.
Example:
GATEWAY_ADMIN_API_USERS: "[{username: admin, password: conduktor, admin: true}, {username: super-admin, password: whatever, admin: true}]"
If the application principal is a bit complex (like UUID), you can use the Gateway user-mapping to map the principal to a simpler username.
As of now, you can create ACLs using the Conduktor Console or the Kafka CLI, using the credentials of the super user.
Delegate the ACLs management to a user
Defining a super user gives it the permissions to manage the ACLs, but also a full access to all the Kafka resources. If you'd like to, you can create a delegated admin user (which is not a super user) in order to assign ACLs only.
To do so, the only set of permissions the super user has to give to the delegated admin are the Alter
and Describe
on cluster.
Here is an example of command:
kafka-acls --bootstrap-server conduktor-gateway:6969 \
--command-config super-admin.properties \
--add \
--allow-principal User:delegated-admin --allow-host '*' \
--operation Alter --operation Describe --cluster
After having turned on the ACLs interceptor, the delegated admin will be able to manage other users ACLs.
Supported ACLs
Conduktor Gateway supports all Kafka ACLs except the following:
- Any ACL where the Resource is DelegationToken
- Restricting listTransactionsRequest with TransactionalId Resource ACLs
Note: Conduktor Gateway does not support partial application of ACLs, a request will fail or succeed in its entirety if an appropriate ACL is applied.
Manipulating ACLs
Conduktor Gateway supports the usual ACL manipulation tooling documented here
ACLs are applied independently for each vCluster. When creating ACLs, ensure that the credentials used are for the appropriate vCluster.
Configuration
{
"name": "myAclInterceptor",
"pluginClass": "io.conduktor.gateway.interceptor.AclsInterceptorPlugin",
"priority": 100,
"config": {
}
}