Manage a local service account
In this tutorial, you’ll learn how to manage service accounts on Gateway. We’ll cover the how to create both local and external service accounts and how to assign ACLs to them. In our scenario:- The SASL_PLAINTEXT security protocol is used for communication between Clients > Gateway > Kafka
- The ACLs are enabled on the passthrough Virtual Cluster (
GATEWAY_ACL_ENABLED: true
) - The ACLs super-user is called
GATEWAY_SUPER_USERS: local-acl-admin
- The Gateway API admin credentials are the defaults
For local deployments, the Gateway API documentation is available at
http://localhost:8888
. In this guide, we’ll use the service-account
and the token
endpoints.service-account
section of the Gateway API documentation, you’ll notice that to create a service account on Gateway, you have to chose between a local
or external
service account.
A local
service account is managed by Gateway itself, while an external
service account is managed by an external OIDC identity provider.
Find out more about Gateway authentication and authorization.
Prerequisites
1. Start the local deployment
Here’s thedocker-compose
file to start a local Gateway with the above configuration.
2. Export Java security manager config (optional)
Depending on your version of Java, you may have to run the below command in your shell session. Newer versions of Java don’t support security manager and current versions of Kafka CLI commands will fail without this being set. If you get errors when running the later commands with authentication, run this command:Create a few topics on Kafka
Let’s create a few topics in Kafka by running the following command:3. Create a local service account
A local service account is managed by Gateway itself. This means that we have to ask Gateway to create it for us by giving it a name. The first step is to create a reference to this new service account. In our case, we’ll call this service accountlocal-app-finance-dev
and we want it to exist in the passthrough Virtual Cluster:
Create the service account
Get the secret key
token
field containing the secret key.
Response
local-app-finance-dev
service account and its secret key.
4. Connect to Gateway
Create a properties filelocal-client.properties
with the credentials we’ve just generated to connect to Gateway:
local-client.properties
List topics
GATEWAY_ACL_ENABLED: true
). It means that my local service account doesn’t have the right permissions to see any resources, it’s not authorized.
Let’s modify the ACLs, so that this service account can list topics.
5. Create an ACL admin
To modify the ACLs, we recommend that you define a dedicated ACL admin service account. This is a privileged service account and has to be defined in the Gateway configuration using the environment variableGATEWAY_SUPER_USERS
in the case of the passthrough Virtual Cluster.
In our example, we’ve called it local-acl-admin
.
Repeat the steps as before, using the name local-acl-admin
. Create the service account, get its credentials and save them to file.
local-acl-admin.properties
.
local-acl-admin.properties
6. Create ACLs for other local service accounts
Use the ACL admin service account to create ACLs for other local service accounts. In order for thelocal-app-finance-dev
service account to be able to interact with its topics, we have to give it the WRITE
permission on its prefix. Run the following command to do so:
Give ACLs to local-app-finance-dev
Response
local-app-finance-dev
service account:
List topics as local-app-finance-dev
Response
Manage an external service account
An external service account is managed by an external OIDC identity provider. This means we only have to make Gateway aware of this external service account by giving it its OIDC principal (this is theexternalNames
). The credentials that will be used by this application are already defined in the OIDC identity provider.
To follow these steps on your machine, you’ll need to have an OAUTHBEARER provider connected in the config of the Docker Compose you’re using, otherwise use it as a reference.
To create this external service account reference on Gateway, you can run the following command to create a Gateway service account called azure-app-billing-dev
which is recognized by it’s OIDC principal ("externalNames" : [ "TO_FILL" ]
):
Create the service account
azure-app-billing-dev
.
When configuring Interceptor scopes for external service accounts, always use the internal name (
azure-app-billing-dev
in this case), not the external name. The external name is only used for mapping external identities to Gateway service accounts.1. Connect to Gateway
You can now connect to Gateway using theazure-app-billing-dev
service account.
Here’s the type of properties file you may use to connect to Gateway using OAUTHBEARER:
external-client.properties
List topics
GATEWAY_ACL_ENABLED: true
). It means that my local service account doesn’t have the right permissions to see any resources, it’s not authorized. The next step is then to give it some ACLs so it can list topics.
2. Create ACLs for an external service account
The steps here are exactly the same as the ones for the local service account. Follow those instructions but use theazure-app-billing-dev
service account (instead of local-app-finance-dev).
Give ACLs to azure-app-billing-dev
Differences if using Virtual Clusters
The example above is using a defaultpassthrough
Virtual Cluster. If you are using your own Virtual Clusters, you need to make a few changes.
First, let’s see how to create a Virtual Cluster with the ACLs enabled, and a super user declared. Then, we’ll see how to create the super user credentials, in order to give permissions to the applications service account.
3. Create the Virtual Cluster with an ACL admin
The below creates a Virtual Cluster calledmy-vcluster
that will have ACLs enabled and a super user named local-acl-admin
.
Create a Virtual Cluster with ACLs Enabled
4. Creating a service account in a Virtual Cluster
Now that the Virtual Clustermy-vcluster
exists, create the local service account for the super user:
Create the Service Account
Get the secret key
local-acl-admin.properties
using the credentials you’ve just generated.
Auto-create topic authorization
WhenGATEWAY_AUTO_CREATE_TOPICS_ENABLED
is set to true
, users require specific ACL permissions to automatically create topics when producing or consuming through Gateway.
Required permissions
You have to have one of the following ACL permissions to create topics automatically:- CLUSTER resource with CREATE operation - allows creating any topic
- TOPIC resource with CREATE operation - allows creating specific topics
Example ACLs for auto-create topics
Allow creating any topic (CLUSTER level)
Allow creating any topic
Allow creating specific topics (TOPIC level)
Allow creating specific topics
When auto-create topics is enabled, concentrated topics are not supported. Topics that would normally be concentrated will be created as physical topics instead.Auto-create topics is disabled by default (
GATEWAY_AUTO_CREATE_TOPICS_ENABLED=false
).