Topic and user Access using TOPIC and USER operator

[kmandal-volvo]

I have Topic A and User B configured to access Topic A, define ACL for necessary operation. This is deployed once the application user. I have Topic C and User D configured to access Topic C , ACL define for necessary operation. This is deployed for another application user. This is working fine but my requirement is the first application User B once to provide access to Topic A to the user of another application User D . While configure getting working Kafkauser/D is part of a different application.

First application Deployment for user done this way.

apiVersion: kafka.strimzi.io/v1alpha1
kind: KafkaTopic
metadata:
  name: B
  labels:
    strimzi.io/cluster: vcc-external-esp
spec:
  partitions: 10
  replicas: 2
  config:
    retention.ms: 7200000
    segment.bytes: 1073741824

apiVersion: kafka.strimzi.io/v1alpha1
kind: KafkaUser
metadata:
  name: B
  labels:
    strimzi.io/cluster: vcc-external-esp
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: A
          patternType: literal
        operation: Read
      - resource:
          type: group
          name: A
          patternType: literal
        operation: Read

apiVersion: kafka.strimzi.io/v1alpha1
kind: KafkaUser
metadata:
  name: D
  labels:
    strimzi.io/cluster: vcc-external-esp
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: A
          patternType: literal
        operation: Read
      - resource:
          type: group
          name: A
          patternType: literal
        operation: Read

Second application Deployment for user done this way.

apiVersion: kafka.strimzi.io/v1alpha1
kind: KafkaTopic
metadata:
  name: C
  labels:
    strimzi.io/cluster: vcc-external-esp
spec:
  partitions: 10
  replicas: 2
  config:
    retention.ms: 7200000
    segment.bytes: 1073741824

apiVersion: kafka.strimzi.io/v1alpha1
kind: KafkaUser
metadata:
  name: D
  labels:
    strimzi.io/cluster: vcc-external-esp
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: C
          patternType: literal
        operation: Read
      - resource:
          type: group
          name: C
          patternType: literal
        operation: Read

[scholzj]

Sorry, I'm not sure I follow the question. The ACLs are part of the KafkaUser resource - so all rights for user d have to be in his KafkaUser resource. You can of course also disable the user operator and manage the ACLs in some other way or directly using the Kafka Admin API..

[ghost]

Hi to elaborate a little on this query. The part we would like to achieve is to have maintainers of topics be able to add the ACL part to an existing user so we can distribute the admin part of this using GitOps. But my understanding of how this works it will not be possible we as the operators of the shared kafka cluster must control the creation and ACL for all users because the Kafka operator will create the user and there is also no way of controlling who gets to give ACLs for a specific topic but rather if you have access to the user operator via yaml you can add any user with any configuration on the ACL thus you are free to give yourself rights to anything.

[scholzj]

I'm afraid the resources are designed as they are (for the good and bad of it) with the ACLs being part of the KafkaUser resource. And any access control to the KafkaUser and KafkaTopic resources is done through Kubernetes RBAC which does not give too much granularity. If you use GitOps, some of this can be maybe controlled before creating the resources => before merging it to Git.

[ghost]

Understood and then it is confirm, it is back to the drawing board then :(