Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cruise Control user permissions on a secured Kafka Cluster

See original GitHub issue

Hi! I’ve both a TLS SASL/Scram Kafka secure cluster and a TLS SASL/Digest Zookeeper secure ensemble. Additionally, Kafka is configured with zookeeper.set.acl=true, so all znodes created by the cluster are protected.

So, in order to execute optimizations and rebalances with Cruise Control:

Must Cruise Control Kafka user be a super user? If not, which ACL’s should Cruise Control Kafka user have?
Must Cruise Control Zookeeper user have write permission on znodes created by the Kafka Cluster?

Thanks!

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

2reactions

marcojckcommented, Apr 9, 2021

Thanks a lot @Ubun1 !!! This is exactly what I need to know!!!

1reaction

Ubun1commented, Apr 8, 2021

@marcojck my current acls list for CC user - cruisecontrol

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=*, patternType=LITERAL)`: 
 	(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__CruiseControlMetrics, patternType=LITERAL)`: 
 	(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=cruisecontrol., patternType=PREFIXED)`: 
 	(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DELETE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=CLUSTER, name=kafka-cluster, patternType=LITERAL)`: 
 	(principal=User:cruisecontrol, host=*, operation=ALTER, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=IDEMPOTENT_WRITE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=CREATE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__KafkaCruiseControlPartitionMetricSamples, patternType=LITERAL)`: 
 	(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__KafkaCruiseControlModelTrainingSamples, patternType=LITERAL)`: 
 	(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=cruisecontrol., patternType=PREFIXED)`: 
 	(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DELETE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=CREATE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TRANSACTIONAL_ID, name=cruisecontrol., patternType=PREFIXED)`: 
 	(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)

With this acls i’m be able to write metrics from metrics exporter on brokers, read them on cruise control and execute rebalanced and other administrative actions from CC ui.

Top Results From Across the Web

Enable security for Cruise Control ... - Cloudera Documentation

Click Cruise Control service on your Cluster. · Click the Configuration tab. · Select Category > Main. · Edit the authorization and Kafka...

Chapter 8. Cruise Control for cluster rebalancing

You can deploy Cruise Control to your AMQ Streams cluster and use it to rebalance the Kafka cluster. Cruise Control is an open...

Authorization using ACLs | Confluent Documentation

Access Control Lists (ACLs) provide important authorization controls for your enterprise's Apache Kafka® cluster data. Before attempting to create and use ...

Managed Apache Kafka Service Features – Amazon MSK ...

IAM Access Control is a no-cost security option that simplifies cluster authentication and Apache Kafka API authorization using IAM roles or user policies ......

Configuring Strimzi

Securing client access to Kafka brokers. Accessing Kafka brokers from outside the cluster. Creating topics. Creating users (clients). Controlling feature ...