Updated on 2023-08-29 GMT+08:00

Configuring Topic Permissions

DMS for Kafka supports ACL permission management for topics. You can differentiate the operations that different users are allowed to perform on a topic by granting the users different permissions.

This section describes how to grant topic permissions to a SASL_SSL user. For details about how to create a SASL_SSL user, see Creating a SASL_SSL User.

Constraints

  • If no SASL_SSL user is granted any permission for a topic, all users can subscribe to or publish messages to the topic.
  • If one or more SASL_SSL users are granted permissions for a topic, only the authorized users can subscribe to or publish messages to the topic.
  • If both the default and individual user permissions are configured for a topic, the union of the permissions is used.

Prerequisites

  • SASL_SSL has been enabled when you create the Kafka instance.
  • (Optional) A SASL_SSL user has been created. For details, see Creating a SASL_SSL User.

Configuring Topic Permissions

  1. Log in to the management console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is located.

  3. Click and choose Application > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click the desired Kafka instance to view the instance details.
  5. In the navigation pane, choose the Topics tab.
  6. In the row that contains the topic for which you want to configure user permissions, click Grant User Permission.

    In the upper part of the Grant User Permission dialog box, the topic information is displayed, including the topic name, number of partitions, aging time, number of replicas, and whether synchronous flushing and replication are enabled. You can enable Default permissions to grant the same permissions for all users. You can use the search box to search for a user if there are many SASL_SSL users. In the Users area, the list of created SASL_SSL users is displayed. In the Selected area, you can grant permissions to the selected SASL_SSL users.

  7. Grant topic permissions to users.

    • To grant the same permissions to all users, select Default permissions and then select permissions. As shown in the following figure, all users have the permission to publish messages to this topic.
      Figure 1 Granting the same permissions to all users
    • To grant different permissions to different users, do not select Default permissions. In the Users area of the Grant User Permission dialog box, select target users. In the Selected area, configure permissions (Subscribe, Publish, or Publish/Subscribe) for the users. As shown in the following figure, only the test, send, and receive users can subscribe to or publish messages to this topic. The send_receive user cannot subscribe to or publish messages to this topic.
      Figure 2 Granting permissions to individual users

    If both the default and individual user permissions are configured for a topic, the union of the permissions is used. As shown in the following figure, the test and receive users can subscribe to and publish messages to this topic, while the send user can only publish messages to the topic.

    Figure 3 Granting topic permissions to users

  8. Click OK.

    On the Topics tab page, click next to the topic name to view the authorized users and their permissions.

    Figure 4 Viewing authorized users and their permissions

(Optional) Deleting Topic Permissions

  1. Log in to the management console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is located.

  3. Click and choose Application > Distributed Message Service for Kafka to open the console of DMS for Kafka.
  4. Click the desired Kafka instance to view the instance details.
  5. In the navigation pane, choose the Topics tab.
  6. In the row that contains the topic for which you want to remove user permissions, click Grant User Permission.
  7. In the Selected area of the displayed Grant User Permission dialog box, locate the row that contains the SASL_SSL user whose permissions are to be removed, click Delete, and click OK.