Skip to content

acl

A definition representing ACLs for a specified Kafka resource.

Definition

Metadata

  • name (string), required

    The name of the resource that ACL entries will be applied to. For type cluster this must be kafka-cluster.

  • type (string), required

    The type of the resource that ACL entries will be applied to. Must be one of topic, group, cluster, transactional_id, delegation_token.

  • labels (map[string]string)

    Labels are key-value pairs associated with the definition.

    Labels are not directly used by kdef and have no remote state. They are purely for the purposes of storing meaningful attributes with the definition that would be relevant to users.

Spec

  • acls ([]ACLEntryGroup)
  • deleteUndefinedAcls (bool)

    Allows kdef to delete ACLs that are not defined in acls. It is highly recommended to set this to true. If false, changes to ACL entry groups will only create new ACLs and previously defined ACLs will remain attached to the target resource.

    Caution

    Enabling allows kdef to permanently delete ACLs. Always confirm operations with --dry-run.

ACLEntryGroup

A group of ACL entries, where specifying more than one value for its properties results in many ACLs being created in a combinatorial fashion.

Example

The following ACL entry group creates six ACLs.

    - hosts: ["*"]
    operations: ["READ", "WRITE"]
    permissionType: ALLOW
    principals:
        - User:foo
        - User:bar
        - User:baz
"*", "READ", "ALLOW", "User:foo"
"*", "READ", "ALLOW", "User:bar"
"*", "READ", "ALLOW", "User:baz"
"*", "WRITE", "ALLOW", "User:foo"
"*", "WRITE", "ALLOW", "User:bar"
"*", "WRITE", "ALLOW", "User:baz"

  • hosts ([]string), required

    Host addresses to create ACLs for. The wildcard "*" allows all hosts.

  • operations ([]string), required

    Operations to create ACLs for. Must be one of ALL, READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, DESCRIBE_CONFIGS,ALTER_CONFIGS,IDEMPOTENT_WRITE.

  • permissionType (string), required

    The permission type for ACLs in this group. Must be either ALLOW or DENY.

  • principals ([]string), required

    Principals to create ACLs for. When using Kafka simple authorizer, this must begin with User:.

Examples

apiVersion: v1
kind: acl
metadata:
  name: kafka-cluster
  type: cluster
spec:
  acls:
    - hosts: ["*"]
      operations: ["DESCRIBE_CONFIGS"]
      permissionType: ALLOW
      principals:
        - User:foo
        - User:bar
        - User:baz
  deleteUndefinedAcls: true
apiVersion: v1
kind: acl
metadata:
  name: store.events.order-created
  type: topic
  labels:
    producer: storefront
spec:
  acls:
    - hosts: ["*"]
      operations:
        - "READ"
        - "WRITE"
        - "CREATE"
        - "DESCRIBE"
        - "DESCRIBE_CONFIGS"
      permissionType: ALLOW
      principals:
        - User:foo
        - User:bar
        - User:baz
    - hosts: ["*"]
      operations:
        - "DELETE"
        - "ALTER"
        - "ALTER_CONFIGS"
      permissionType: ALLOW
      principals: ["User:baz"]
    - hosts: ["*"]
      operations: ["CREATE"]
      permissionType: DENY
      principals: ["User:bar"]
  deleteUndefinedAcls: true

Schema

Definition:

{
    "apiVersion": string,
    "kind": string,
    "metadata": {
        "name": string,
        "type": string,
        "labels": [
            string
        ]
    },
    "spec": {
        "acls": [
            {
                "hosts": [
                    string
                ],
                "operations": [
                    string
                ],
                "permissionType": string,
                "principals": [
                    string
                ]
            }
        ],
        "deleteUndefinedAcls": bool
    }
}