You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* `kafka.security.authorizer.AclAuthorizer` (the default Kafka authorizer implementation), was introduced in Apache Kafka 2.4/Confluent Platform 5.4.0. If you are running a previous version, then use SimpleAclAuthorizer (`kafka.security.auth.SimpleAclAuthorizer`). If you are using the Confluent platform, you can use also the LDAP authorizer (please refer to the official Confluent documentation for further details: https://docs.confluent.io/platform/current/security/ldap-authorizer/quickstart.html)
209
+
* Please consider that `zookeeper.set.acl` is **false** by default
210
+
211
+
From the official Kafka documentation you can find that if a resource has no associated ACLs, then no one is allowed to access that resource except super users.
212
+
If this is the case in your Kafka cluster, then you have also to add the following:
213
+
214
+
[source, properties]
215
+
----
216
+
kafka.allow.everyone.if.no.acl.found=true
217
+
----
218
+
219
+
[NOTE]
220
+
Be very careful on using the above property because, as the property name implies, it will allow access to everyone if no acl were found
221
+
222
+
If super users are specified, then include also:
223
+
224
+
[source,properties]
225
+
----
226
+
kafka.super.users=...
227
+
----
228
+
229
+
Moreover, if you change the default user name (principal) mapping rule then you have to add also the following properties:
230
+
231
+
* If you used SSL encryption, then:
232
+
233
+
+
234
+
[source, properties]
235
+
----
236
+
kafka.ssl.principal.mapping.rules=...
237
+
----
238
+
239
+
* If you used SASL encryption (probably so, if you have Kerberos environment), then:
240
+
241
+
+
242
+
[source, properties]
243
+
----
244
+
kafka.sasl.kerberos.principal.to.local.rules=...
245
+
----
246
+
247
+
Furthermore, if you want to ensure that also the brokers communicates with each other using Kerberos,
248
+
you have to specify the following property, which is anyway not required for the ACLs purposes:
249
+
250
+
[source, properties]
251
+
----
252
+
kafka.security.inter.broker.protocol=SASL_SSL
253
+
----
254
+
255
+
[NOTE]
256
+
The last property is `PLAIN` by default
257
+
258
+
To make the plugin work properly, the following operations must be authorized for Topic and Cluster resource types:
259
+
260
+
* **Write**, when you want to use the plugin as a Source
261
+
* **Read**, when you want to use the plugin as a Sink
262
+
* **DescribeConfigs** and **Describe**, because the plugin uses the following 2 Kafka AdminClient API:
263
+
** listTopics
264
+
** describeCluster
265
+
266
+
To use streams procedures, the same operations must be authorized (read or write) depending on which of the procedures you wish to use. The permissions required by the procedures and the source/sink operations are the same.
267
+
268
+
For further details on how to setup and define ACLs on Kafka, please refer to official Confluent Kafka documentation:
This section applies only to the Neo4j Streams plugin and not to the Kafka Connect plugin. This because it's Kafka Connect plugin that takes care about the authorizations.
274
+
The only special case for the Kafka Connect plugin is when you use the DLQ. If so, you have to define the **Write** authorization the DLQ producer needs.
0 commit comments