Managing account access in Red Hat OpenShift Streams for Apache Kafka

Guide
  • Red Hat OpenShift Streams for Apache Kafka 1
  • Updated 09 November 2021
  • Published 12 October 2021

Managing account access in Red Hat OpenShift Streams for Apache Kafka

Guide
Red Hat OpenShift Streams for Apache Kafka 1
  • Updated 09 November 2021
  • Published 12 October 2021

As an owner of a Kafka instance in OpenShift Streams for Apache Kafka, you can manage the level of access that other user accounts and service accounts have to your instance. You can allow or deny access to your instance for specific accounts or for all accounts in your organization. You can also allow other users or service accounts to manage the level of access to your instance for you.

You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.

Access management in OpenShift Streams for Apache Kafka

OpenShift Streams for Apache Kafka uses Access Control Lists (ACLs) provided by Kafka that enable you to manage how other user accounts and service accounts are permitted to access the Kafka resources that you create. You can manage access for only the Kafka instances that you create or for instances that the owner has enabled you to access and alter.

An account in OpenShift Streams for Apache Kafka is either a user account or a service account. A user account enables users in your organization to access your resources. A service account enables your application or tool to connect securely to your instance and access your resources.

A resource in an ACL can be a Kafka instance, topic, consumer group, or producer transaction. You use the ACL to define how specific accounts or all accounts in an organization are permitted to access these resources.

An ACL permission setting typically consists of the following components:

  • A single named account or all accounts within the organization that you want to manage access for

  • A single named resource, all resources of a particular type (such as a topic, consumer group, or transactional ID), or all resources of a particular type with a specified prefix

  • A single operation (such as Write) or all operations for the specified resource or resources

You can also allow other users or service accounts to manage access to the resources in your instance for you.

If two or more permission settings in an ACL match a request being made to the Kafka broker and at least one of the matching permissions specifies that the action is denied, then the request is denied.

Additional resources

Supported ACL permissions in OpenShift Streams for Apache Kafka

An ACL acts as a mapping of permitted operations on specified resources for a selected account or for all accounts in an organization. An account can be either a user account or a service account. Operations correspond to Kafka APIs or request types that relate to the specified resource.

For example, a Read operation for a Topic resource corresponds to the Fetch, OffsetCommit, and TxnOffsetCommit Kafka requests. A Write operation for a Topic resource corresponds to the Produce and AddPartitionsToTxn Kafka requests.

The following table lists the supported ACL permissions in OpenShift Streams for Apache Kafka.

The resource identifier Is supports the wildcard character * to denote any occurrences of the specified resource. For example, Topic is * means any topic in a Kafka instance.
Table 1. Supported ACL permissions

Resource type

Resource identifier

Access type

Operations

Consumer group

(For consumer group access to a resource)

  • Starts with

  • Is

  • Allow

  • Deny

  • All

  • Read

  • Delete

  • Describe

Topic

(For access to a topic)

  • Starts with

  • Is

  • Allow

  • Deny

  • All

  • Read

  • Write

  • Create

  • Delete

  • Alter

  • Alter configs

  • Describe

  • Describe configs

Transactional ID

(For producer access to a resource)

  • Starts with

  • Is

  • Allow

  • Deny

  • All

  • Write

  • Describe

Kafka instance

(For access to Kafka instance permissions in ACLs)

None

  • Allow

  • Deny

  • Alter

  • Describe

By default, new Kafka instances contain the permissions shown in the following table. These permissions allow all accounts in the organization to view the instance permissions and to view topics in the instance, but not to produce or consume messages.

Table 2. Default ACL permissions for new Kafka instances

Account

Resource

Access type

Operation

All accounts

Topic is *

(Any topic)

Allow

Describe

All accounts

Consumer group is *

(Any consumer group)

Allow

Describe

All accounts

Kafka instance

(Kafka instance permissions in ACLs)

Allow

Describe

Additional resources

Authorization Primitives in Kafka documentation

Setting account permissions in a Kafka instance in OpenShift Streams for Apache Kafka

In OpenShift Streams for Apache Kafka, you can create Access Control Lists (ACLs) in your Kafka instances and set permissions for how other user accounts or service accounts can interact with an instance and its resources. You can manage access for only the Kafka instances that you create or for the instances that the owner has enabled you to access and alter.

Prerequisites
  • You’ve created a Kafka instance and the instance is in Ready state.

  • The user account or service account that you’re setting permissions for has been created in the organization.

Procedure
  1. In the OpenShift Streams for Apache Kafka web console, go to Streams for Apache Kafka > Kafka Instances and click the name of the Kafka instance that you want to set permissions for.

  2. Click the Access tab to view the current ACL permissions for this instance.

  3. Use this Access page to set permissions for a new account, add permissions to an existing account, or delete account permissions in this instance.

    • To set permissions for a new account in this instance, follow these steps:

      1. Click Manage access.

      2. In the Account drop-down menu, select the new user account or service account that you want to set permissions for. You can also select All accounts to set permissions for all user accounts and service accounts in the organization.

      3. Click Next.

        The Review existing permissions section lists any permission settings in this instance that are already defined for all accounts in the organization and for the same account that you previously selected, if applicable. You can delete existing permissions now if needed, or you can wait to delete existing permissions later from the main Access page.

        If you previously selected a specific account, you can delete only permission entries that apply to individual accounts. If you previously selected All accounts, you can delete only permission entries that apply to all accounts.

      4. Under Assign Permissions, set the permissions for the specified account or all accounts for a resource type, such as a topic, and click Add to continue adding permissions for other resources as needed.

        For example, when you create a new service account, you can add the permissions shown in the following table to the Kafka instance that you want the account to access. In this example, the permissions enable applications associated with the service account to create and delete topics in the instance, to produce and consume messages in any topic in the instance, and to use any consumer group and any producer.

        Table 3. Example ACL permissions for a new service account

        Resource type

        Resource identifier and value

        Access type

        Operation

        Topic

        Is = *

        Allow

        All

        Consumer group

        Is = *

        Allow

        Read

        Transactional ID

        Is = *

        Allow

        All

      5. Click Save to finish.

    • To add permissions to an existing account in this instance, follow these steps:

      1. For the account that you want to add permissions to, select the options icon (three vertical dots) for that entry and click Manage.

        The Review existing permissions section lists any permission settings in this instance that are already defined for all accounts in the organization and for the same account that you previously selected, if applicable. You can delete existing permissions now if needed, or you can wait to delete existing permissions later from the main Access page.

        If you selected a permission entry that applies to a specific account, you can delete only permission entries that apply to individual accounts. If you selected a permission entry that applies to all accounts, you can delete only permission entries that apply to all accounts.

      2. Under Assign Permissions, set the additional permissions for that account or all accounts for a resource type, such as a topic, and click Add to continue adding permissions for other resources as needed.

      3. Click Save to finish.

    • To delete existing account permissions in this instance, use the following options:

      • Select one or more permission entries, select the options icon (three vertical dots) at the top of the table, and click Delete selected permissions.

      • For the account that you want to delete, select the options icon (three vertical dots) for that entry and click Delete.

    If you delete a user account or service account, you should also delete any ACL permissions associated with that account. If you don’t delete unused ACL permissions, then a future account with the same ID of a previously deleted account could inherit the ACL permissions and have automatic access to a Kafka instance.
Additional resources

Example account access scenarios in OpenShift Streams for Apache Kafka

The following example Access Control Lists (ACLs) illustrate common scenarios for managing the level of access for user accounts or service accounts in OpenShift Streams for Apache Kafka. Use these examples as a guide for your own ACLs.

Access for a new service account in a Kafka instance

I’ve created a new service account and I want to allow it to create and delete topics in the instance, to produce and consume messages in any topic in the instance, and to use any consumer group and any producer.

Table 4. Example ACL permissions

Account

Resource type

Resource identifier and value

Access type

Operation

srvc-acct-1a2b3c4d-…​

Topic

Is = *

Allow

All

srvc-acct-1a2b3c4d-…​

Consumer group

Is = *

Allow

All

srvc-acct-1a2b3c4d-…​

Transactional ID

Is = *

Allow

All

Access for all accounts in a Kafka instance

I want this Kafka instance to be fully accessible to all accounts in the organization. I want any user to be able to read all topics, write to all topics, use any consumer group, and use any producer.

Table 5. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

All accounts

Topic

Is = *

Allow

All

All accounts

Consumer group

Is = *

Allow

All

All accounts

Transactional ID

Is = *

Allow

All

Access for a specific user in a Kafka instance

I want this Kafka instance to be fully accessible to a specific user. I don’t know which topics or consumer groups the user will use, so I want the user to be able to read any topic, write to any topic, and join any consumer group in the instance.

Table 6. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

usr-acct-1a2b3c4d-…​

Topic

Is = *

Allow

All

usr-acct-1a2b3c4d-…​

Consumer group

Is = *

Allow

All

usr-acct-1a2b3c4d-…​

Transactional ID

Is = *

Allow

All

Access for a specific producer to write to a topic

I want to allow a user account with a producer of a specific transactional.id value to produce messages to a specific topic in this Kafka instance.

Table 7. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

usr-acct-1a2b3c4d-…​

Topic

Is = topic-1

Allow

Write

usr-acct-1a2b3c4d-…​

Transactional ID

Is = producer-1

Allow

All

Access for specific consumer groups to consume from a topic

I want to allow a service account with consumers from consumer groups whose names start with app to consume messages from a specific topic in this Kafka instance.

Table 8. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

srvc-acct-1a2b3c4d-…​

Topic

Is = topic-1

Allow

Read

srvc-acct-1a2b3c4d-…​

Consumer group

Starts with = app

Allow

Read

Access for a specific user to manage all permissions in the ACL of a Kafka instance

I want to allow a user account to manage all permissions in the ACL for this Kafka instance. I’ve removed all other permissions from this instance so that the new authorized user can define the new ACL as needed.

Table 9. Example ACL permissions

Account

Resource

Resource identifier and value

Access type

Operations

usr-acct-1a2b3c4d-…​

Kafka instance

None

Allow

Alter

usr-acct-1a2b3c4d-…​

Kafka instance

None

Allow

Describe