GATEWAY_ACL_ENABLED: true
)GATEWAY_SUPER_USERS: local-acl-admin
http://localhost:8888
. In this guide, we’ll use the service-account
and the token
endpoints.service-account
section of the Gateway API documentation, you’ll notice that to create a service account on Gateway, you have to chose between a local
or external
service account.
A local
service account is managed by Gateway itself, while an external
service account is managed by an external OIDC identity provider.
Find out more about Gateway authentication and authorization.
docker-compose
file to start a local Gateway with the above configuration.
local-app-finance-dev
and we want it to exist in the passthrough Virtual Cluster:
token
field containing the secret key.
local-app-finance-dev
service account and its secret key.
local-client.properties
with the credentials we’ve just generated to connect to Gateway:
GATEWAY_ACL_ENABLED: true
). It means that my local service account doesn’t have the right permissions to see any resources, it’s not authorized.
Let’s modify the ACLs, so that this service account can list topics.
GATEWAY_SUPER_USERS
in the case of the passthrough Virtual Cluster.
In our example, we’ve called it local-acl-admin
.
Repeat the steps as before, using the name local-acl-admin
. Create the service account, get its credentials and save them to file.
local-acl-admin.properties
.
local-app-finance-dev
service account to be able to interact with its topics, we have to give it the WRITE
permission on its prefix. Run the following command to do so:
local-app-finance-dev
service account:
externalNames
). The credentials that will be used by this application are already defined in the OIDC identity provider.
To follow these steps on your machine, you’ll need to have an OAUTHBEARER provider connected in the config of the Docker Compose you’re using, otherwise use it as a reference.
To create this external service account reference on Gateway, you can run the following command to create a Gateway service account called azure-app-billing-dev
which is recognized by it’s OIDC principal ("externalNames" : [ "TO_FILL" ]
):
azure-app-billing-dev
.
azure-app-billing-dev
service account.
Here’s the type of properties file you may use to connect to Gateway using OAUTHBEARER:
GATEWAY_ACL_ENABLED: true
). It means that my local service account doesn’t have the right permissions to see any resources, it’s not authorized. The next step is then to give it some ACLs so it can list topics.
azure-app-billing-dev
service account (instead of local-app-finance-dev).
passthrough
Virtual Cluster. If you are using your own Virtual Clusters, you need to make a few changes.
First, let’s see how to create a Virtual Cluster with the ACLs enabled, and a super user declared. Then, we’ll see how to create the super user credentials, in order to give permissions to the applications service account.
my-vcluster
that will have ACLs enabled and a super user named local-acl-admin
.
my-vcluster
exists, create the local service account for the super user:
local-acl-admin.properties
using the credentials you’ve just generated.
GATEWAY_AUTO_CREATE_TOPICS_ENABLED
is set to true
, users require specific ACL permissions to automatically create topics when producing or consuming through Gateway.
GATEWAY_AUTO_CREATE_TOPICS_ENABLED=false
).