|
| 1 | +# Permissions |
| 2 | + |
| 3 | +When running against a secure Kafka cluster, kafka-gitops needs to be authorized to perform actions against the cluster. This can be either a super user defined by the Kafka cluster or a custom user with specific permissions. |
| 4 | + |
| 5 | +## Example |
| 6 | + |
| 7 | +For the purposes of this example, we'll assume we have a user principal named `gitops-user`. |
| 8 | + |
| 9 | +Full usage of kafka-gitops means you are managing topics, services, ACLs, and users. If you plan to make use of our ACL management features, the `gitops-user` principal must have the ability to create and manage ACLs. |
| 10 | + |
| 11 | +If you do not want to use a super user, you can create a `gitops-user` principal and a current super user can make them an *ACL Administrator*. An ACL administrator has the `ALTER --cluster` access control entry. This entry allows the user to create and delete ACLs for the given cluster. |
| 12 | + |
| 13 | +!> **Caution**: An ACL administrator can then create ACLs for any other principal, including themselves. |
| 14 | + |
| 15 | +### Manually Add ACLs |
| 16 | +Add the alter cluster ACL to the `gitops-user` principal: |
| 17 | + |
| 18 | +```bash |
| 19 | +kafka-acls --bootstrap-server localhost:9092 --command-config admin.properties \ |
| 20 | +--add --allow-principal User:gitops-user \ |
| 21 | +--operation ALTER --cluster |
| 22 | +``` |
| 23 | + |
| 24 | +Add the ACLs needed to manage topics to the `gitops-user` principal: |
| 25 | + |
| 26 | +```bash |
| 27 | +kafka-acls --bootstrap-server localhost:9092 --command-config admin.properties --add \ |
| 28 | +--allow-principal User:gitops-user --operation Create --operation Delete \ |
| 29 | +--operation DescribeConfigs --operation AlterConfigs --operation Alter \ |
| 30 | +--operation Describe --topic '*' |
| 31 | +``` |
| 32 | + |
| 33 | +The above configs allow the `gitops-user` to manage ACLs, topics, and topic configurations. |
| 34 | + |
| 35 | +### State File Definition |
| 36 | +You can also create the ACLs using kafka-gitops. Run it once with super admin credentials using the state file below, and then switch to using your `gitops-user` credentials. |
| 37 | + |
| 38 | +```yaml |
| 39 | +users: |
| 40 | + gitops-user: |
| 41 | + principal: User:gitops-user |
| 42 | + |
| 43 | +customUserAcls: |
| 44 | + gitops-user: |
| 45 | + alter-cluster: |
| 46 | + name: kafka-cluster |
| 47 | + type: CLUSTER |
| 48 | + pattern: LITERAL |
| 49 | + host: "*" |
| 50 | + operation: ALTER |
| 51 | + permission: ALLOW |
| 52 | + create-topics: |
| 53 | + name: "*" |
| 54 | + type: TOPIC |
| 55 | + pattern: LITERAL |
| 56 | + host: "*" |
| 57 | + operation: CREATE |
| 58 | + permission: ALLOW |
| 59 | + alter-topics: |
| 60 | + name: "*" |
| 61 | + type: TOPIC |
| 62 | + pattern: LITERAL |
| 63 | + host: "*" |
| 64 | + operation: ALTER |
| 65 | + permission: ALLOW |
| 66 | + describe-topics: |
| 67 | + name: "*" |
| 68 | + type: TOPIC |
| 69 | + pattern: LITERAL |
| 70 | + host: "*" |
| 71 | + operation: DESCRIBE |
| 72 | + permission: ALLOW |
| 73 | + delete-topics: |
| 74 | + name: "*" |
| 75 | + type: TOPIC |
| 76 | + pattern: LITERAL |
| 77 | + host: "*" |
| 78 | + operation: DELETE |
| 79 | + permission: ALLOW |
| 80 | + describe-topic-configs: |
| 81 | + name: "*" |
| 82 | + type: TOPIC |
| 83 | + pattern: LITERAL |
| 84 | + host: "*" |
| 85 | + operation: DESCRIBE_CONFIGS |
| 86 | + permission: ALLOW |
| 87 | + alter-topic-configs: |
| 88 | + name: "*" |
| 89 | + type: TOPIC |
| 90 | + pattern: LITERAL |
| 91 | + host: "*" |
| 92 | + operation: ALTER_CONFIGS |
| 93 | + permission: ALLOW |
| 94 | +``` |
| 95 | +
|
0 commit comments