Access control lists and permission mapping
Aiven for Apache Kafka® uses access control lists (ACL) and user definitions to establish individual rights to produce, consume or manage topics. To manage users and ACL entries, you can access the corresponding options in the left-side navigation menu on the service page within the Aiven Console. For detailed instructions, see Manage users and access control lists.
ACL structure
The ACL consists of ACL entries. An ACL entry is defined as the combination of:
- the username
- the permission given to the user
- the associated topics
The username portion of the ACL entry can be an Apache Kafka® service
user name, or a string containing wildcards, which can match multiple
users. Similarly, the topic portion can be a single Apache Kafka® topic
name or can use a wildcard pattern. The permission is one of read,
write, readwrite and admin.
The wildcards supported are:
?matching a single character (equivalent to regular expression.)*matching zero or more characters (equivalent to regular expression(.*))
The wildcards can be combined for more complex pattern matching:
?*matches a single character, and zero or more other characters (equivalent to regular expression(.+))
Aiven for Apache Kafka® evaluates each topic access against the ACL entries. If it finds a matching ACL entry, access is granted. If no entry matches, access is denied. The order of the ACL entries is irrelevant.
Examples:
- username:
abc, permission:read, topic:xyz. Userabchas read access to topicxyz. - username:
analyst*, permission:read, topic:xyz. All Aiven users with username startinganalysthave read access to topicxyz. - username:
developer*, permission:read, topic:test*. All Aiven users with username startingdeveloperhave read access to topics starting withtest.
By default, Aiven adds an avnadmin service user to every new service
and adds admin permission for all topics to that user. When you create
your own ACLs to restrict access, you probably want to remove this ACL
entry.
When using the Aiven Terraform Provider, you can add the default_acl
key to your resource and set it to false if you do not want to
create the admin user with wildcard permissions.
ACL permission mapping
You can define four types of permission for a particular topic or topic pattern. Note each permission is called differently in the Console when creating them (for example, Consume) and in the ACL entries list:
- Admin /
admin - Consume and Produce /
readwrite - Consume /
read - Produce /
write
The type of the permission dictates the actions the client is be able to perform. The following table contains a summary of the allowed action and a link to the Java APIs:
| Action | Link | Admin | Consume and Produce | Produce | Consume |
|---|---|---|---|---|---|
| Cluster | |||||
→ CreateTopics | docs | ✓ | |||
| Consumer Groups | |||||
→ Delete | docs | ✓ | ✓ | ✓ | |
→ Describe | docs | ✓ | ✓ | ✓ | |
→ Read | docs | ✓ | ✓ | ✓ | |
| Topics | |||||
→ Read | docs | ✓ | ✓ | ✓ | |
→ Write | docs | ✓ | ✓ | ✓ | |
→ Describe | docs | ✓ | ✓ | ✓ | ✓ |
→ Describe_Configs | docs | ✓ | ✓ | ✓ | ✓ |
→ Alter | docs | ✓ | |||
→ AlterConfigs | docs | ✓ | |||
→ Delete | docs | ✓ | |||
| Transactions | |||||
→ Describe | docs | ✓ | ✓ | ✓ | |
→ Write | docs | ✓ | ✓ | ✓ |
A user with the Admin permissions can create topics with any name, as
the CreateTopics permissions is applied at the cluster level.
All other permissions related to a topic (Alter, Delete) only
apply to the topics matching the pattern that you specify.
The above mappings are subject to change.
By default, the number of users per service is limited to 50 in Kafka. Contact Aiven support if you need more users.