Authorization

Apache Kafka has a pluggable authorizer and ships with an out-of-box authorizer implementation that uses zookeeper to store all acls. To learn more please reference Apache Kafka Authorization and ACLs. In Amazon MSK, this authorizer is enabled in the server.properties file on the brokers. Kafka acls are defined in the general format of “Principal P is [Allowed/Denied] Operation O From Host H on any Resource R matching ResourcePattern RP. By default, if no ResourcePatterns match a specific Resource R, then R has no associated acls, and therefore no one other than super users is allowed to access R. This behavior can be changed by setting the property “allow.everyone.if.no.acl.found=true”. In Amazon MSK, this property is set by default which means that if no acls are set on a resource, it is accessible by all principals. However, if you do enable acls on a resource, only the authorized principals are allowed. If you want to restrict access to a topic and authorize a client using TLS mutual authentication, you need to add acls using the Kafka authorizer CLI.

  • Grant read and write access to the test topic (but not to the testaclfail topic) to this client with the certificate installed in the keystore in the setup section.

    • You can run the following command to get the Distinguished-Name. This for information only. It’s included in the Read and Write access commands below.

      keytool --list -v -keystore /tmp/kafka.client.keystore.jks|grep ip-
      
    • You should get an output like below. The highlighted portion is the Distinguished-Name.


    • Run the following commands to give Read and Write access to the test topic.
      Note: When running the first command, you will be prompted for a password. Provide the password you entered for the keystore when running the AuthMSK-1.0-SNAPSHOT.jar file in the Setup section.

      cn=`keytool --list -v -keystore /tmp/kafka.client.keystore.jks|grep ip-|cut -d " " -f 2`
      export dn="User:${cn}"
      bin/kafka-acls.sh --authorizer-properties zookeeper.connect=$zoo --add --allow-principal $dn --operation Read --group=* --topic test
      bin/kafka-acls.sh --authorizer-properties zookeeper.connect=$zoo --add --allow-principal $dn --operation Write --topic test
      
    • You should get an output like below.