The rights to manage or view ACLs can be configured flexibly: from basic rights that cover all ACLs to resource-specific rights with specifications on the naming scheme.
The latter allows teams to independently manage resources within their working context.
In combination with the topic rights, which also allow naming specifications (e.g. via prefix or postfix), a team "Marketing" can thus be enabled to manage all marketing topics, associated topic-, transactionalId- and consumer group ACLs on its own.
Scope of rights
A variety of rights are available for fine-grained control of actions for ACLs:
- Read
- Write
- Delete
- Full access (all above)
Rights for these actions can be assigned per connection and per resource type (e.g. Acl for topics or consumer groups). In addition, a naming convention can be enforced for the resource name of the ACL: in the case of a topic ACL, the name of one or, if the asterisk is used, several topics can be specified for which the ACL can be created.
The following resource types can be optionally specified:
- cluster
- group
- topic
- transactional_id
Allow full access
Using the Rights Builder to give access to manage and view all ACL resources, select ‘AclAccessAll’ in the action dropdown and click on all for the resource name.
To configure the right in the JSON view, use the following code:
{
"action": "AclAccessAll",
"effect": "Allow",
"resource": "*:*"
}
The first asterisk in the resource string represents the id of your connection, the second asterisk the resource name. To limit the right to a connection with id 2:
{
"action": "AclAccessAll",
"effect": "Allow",
"resource": "2:*"
}
Allow all access to specific ACL resources
Using the Rights Builder to enable full access to only resource type related ACLs , select ‘AclAccessAll’ in the action dropdown and enter the resource type:
*:topic
The JSON representation looks like this:
{
"action": "AclAccessAll",
"effect": "Allow",
"resource": "*:*:topic"
}
Allow all access to ACL resources with name spaces / resource name patterns
Using the Rights Builder to enable full access to only topic related ACLs for topics that start with myteam-, select 'AclAccessAll' in the action dropdown and enter the resource name:
myteam-*:topic
The JSON representation looks like this:
{
"action": "AclAccessAll",
"effect": "Allow",
"resource": "*:myteam-:topic"
}
Available resource types
You can define ACL rights for specific resource types. The following resource types are supported:
- cluster
- group
- topic
- transactional_id
Cluster
To enable access to ACLs for the cluster:
kafka-cluster:cluster
Consumer groups
To enable access to ACLs for consumer groups that start with a certain name:
consumergroup-prefix-*:group
Topics
To enable access to ACLs for topics that start with a certain name:
topic-prefix-*:topic
Transactional Ids
To enable access to ACLs for transactional ids that start with a certain name:
transactional_id-prefix-*:transactional_id
Recommended use for self-managing teams
The following is a recommendation to allow self-management within a project or domain context for a specific team:
- Create a new role.
- Add the Topic right "TopicAccessAll" with a naming scheme, e.g. "marketing.*" for all marketing topics to allow full management of all marketing topics.
Create multiple ACL rights as follows:
- AclAccessAll with the resource name "marketing.*:topic".
- AclAccessAll with the resource name "marketingteam*:group".
- If applicable, AclAccessAll with the resource name "marketingteam*:transactional_id".
Thus, the marketing team has the following rights:
- It can manage independent topics starting with the name "marketing.".
- It can independently manage Acls for topics mentioned in the point above.
- It can independently manage Acls for Consumer groups and Transactional Ids that start with their team name "marketingteam".