Configuring Kafka Topic Permissions
Kafka instances with ciphertext access enabled support access control list (ACL) for topics. You can differentiate user permissions by granting users different permissions in a topic.
This section describes how to grant topic permissions to users after ciphertext access is enabled for a Kafka instance.
Notes and Constraints
- If parameter allow.everyone.if.no.acl.found is set to true and no topic is granted for a user, all users can subscribe to or publish messages to the topic. If permissions for a topic have been granted to one or more users, only these users can subscribe to or publish messages to the topic. The value of allow.everyone.if.no.acl.found can be modified.
- If allow.everyone.if.no.acl.found is set to false, only the initial user (set when ciphertext access is enabled for the first time) and other authorized users have the permission to subscribe to or publish messages to topics. The value of allow.everyone.if.no.acl.found can be modified.
- If both the default and individual user permissions are configured for a topic, the union of the permissions is used.
- Unavailable for single-node instances.
- Setting topic permissions in batches overwrites the previous permission settings.
- Permissions may be temporarily invalid during the configuration, throwing client error message "AuthorizationException". In this case, set a retry mechanism on the client. For details, see Suggestions on Using the Kafka Client.
Prerequisites
- Ciphertext has been enabled for the Kafka instance.
- A user is created.
Viewing Permissions of a Topic
- Log in to the Kafka console.
- Click
in the upper left corner to select the region where your instance is located.
- Click the desired Kafka instance to go to the instance details page.
- In the navigation pane, choose Instance > Topics.
- Click a topic name to go to the topic details page.
- Choose User Permissions.
- View all authorized users of the topic and their permissions.
Figure 1 User permissions of a topic
Table 1 User permissions Parameter
Description
Username
Users who have the publish or subscribe permissions
Permission
Permissions of the user.
Set Topic Permissions
On the console, the publish and subscribe permissions can be granted to an SASL user. The permissions can be granted for a single or multiple topics at a time.
- Log in to the Kafka console.
- Click
in the upper left corner to select the region where your instance is located.
- Click the desired Kafka instance to view the instance details.
- In the navigation pane, choose Instance > Topics.
- In the row containing the desired topic, click Grant User Permission.
- Go to the user permission page in either of the following ways:
- In the row containing the desired topic, click Grant User Permission.
- Click the desired topic name to go to the topic details page. Click Configure Permission in the upper right corner.
- Click the desired topic name to go to the topic details page. Choose the User Permissions tab. Click Configure Permission.
- Grant topic permissions to users.
- To grant the same permissions to all users, select Default permissions and then select permissions. As shown in the following figure, all users have the permission to publish messages to this topic.
Figure 2 Granting the same permissions to all users
- To grant different permissions to different users, do not select Default permissions. In the Users area of the Grant User Permission dialog box, select target users. If there are many users, enter the username in the search box for a quick search. In the Topic Permissions area, configure permissions (Subscribe, Publish, or Publish/Subscribe) for the users. As shown in the following figure, only the test, send, and receive users can subscribe to or publish messages to this topic. The send_receive user cannot subscribe to or publish messages to this topic.
Figure 3 Granting permissions to individual users
If both the default and individual user permissions are configured for a topic, the union of the permissions is used. As shown in the following figure, the test and receive users can subscribe to and publish messages to this topic, while other users can only publish messages to this topic.
Figure 4 Granting topic permissions to users - To grant the same permissions to all users, select Default permissions and then select permissions. As shown in the following figure, all users have the permission to publish messages to this topic.
- At the bottom of the User Permissions dialog box, click Auto Enter. The system will automatically enter MODIFY in the text box. Click OK.
Figure 5 Confirming the permission settings
- Verify whether the permissions are correct.
- Click the desired topic name to go to the topic details page.
- Choose the User Permissions tab.
- View the configured user permissions.
Figure 6 Viewing authorized users and their permissions
- Log in to the Kafka console.
- Click
in the upper left corner to select the region where your instance is located.
- Click the desired Kafka instance to view the instance details.
- In the navigation pane, choose Instance > Topics.
- Select the topics to be configured with user permissions and click Grant User Permission.
- Set topic permissions in batches.
The permissions already set for a user are not displayed. Setting permissions in batches overwrites the previous permission settings. For example, user test already has the Publish/Subscribe permission on Topic01. When the Publish permission is set for the user in a batch permission setting, the user only has the Publish permission on Topic01.
- To grant the same permissions to all users, select Default permissions and then select permissions. As shown in the following figure, all users have the permission to publish messages to topic01 and 02.
Figure 7 Granting the same permissions to all users
- To grant different permissions to different users, do not select Default permissions. In the Users area of the Grant User Permission dialog box, select target users. If there are many users, enter the username in the search box for a quick search. In the Topic Permissions area, configure permissions (Subscribe, Publish, or Publish/Subscribe) for the users. As shown in the following figure, only the test, send, and receive users can subscribe to or publish messages to topic01 and 02. The send_receive user cannot subscribe to or publish messages to these topics.
Figure 8 Granting permissions to multiple users
If both the default and individual user permissions are configured for a topic, the union of the permissions is used. As shown in the following figure, the test and receive users can subscribe to and publish messages to topic01 and 02, while other users can only publish messages to them.
Figure 9 Granting topic permissions to users - To grant the same permissions to all users, select Default permissions and then select permissions. As shown in the following figure, all users have the permission to publish messages to topic01 and 02.
- At the bottom of the Set Permissions dialog box, click Auto Enter. The system will automatically enter MODIFY in the text box. Click OK.
- Verify whether the permissions are correct.
- Click the desired topic name to go to the topic details page.
- Choose the User Permissions tab.
- View the configured user permissions.
Figure 10 Viewing authorized users and their permissions
Deleting Permissions for a Topic
- Log in to the Kafka console.
- Click
in the upper left corner to select the region where your instance is located.
- Click the desired Kafka instance to view the instance details.
- In the navigation pane, choose Instance > Topics.
- Go to the user permission page in either of the following ways:
- In the row containing the desired topic, click Grant User Permission.
- Click the name of the topic to go to the topic details page. Click Configure Permission in the upper right corner.
- Click the name of the topic to go to the topic details page. Choose the User Permissions tab. Click Configure Permission.
- In the Topic Permissions area, in the row containing the user, click Delete.
- At the bottom of the User Permissions dialog box, click Auto Enter. The system will automatically enter MODIFY in the text box. Then, click OK.
- Verify whether the permissions have been deleted.
- Click the name of the topic to go to the topic details page.
- Choose the User Permissions tab.
- The user is deleted if it is not displayed in User Permissions.
Related Document
To set topic permissions by calling an API, see Granting User Permissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot