Sign upLogin

devshawn/kafka-gitops

View on GitHub
Star
docs/permissions.md

Summary

Maintainability
Test Coverage
# Permissions

When running against a secured Kafka cluster, `kafka-gitops` needs to be authorized to perform actions against the cluster. This can either be a super user defined by the Kafka cluster or a custom user with specific permissions.

## Example

For the purposes of this example, we'll assume we have a user principal named `gitops-user`. 

Full usage of kafka-gitops means you are managing topics, services, ACLs, and users. If you plan to make use of our ACL management features, the `gitops-user` principal must have the ability to create and manage ACLs.

If you do not want to use a super user, you can create a `gitops-user` principal and a current super user can make them an *ACL Administrator*. An ACL administrator has the `ALTER --cluster` access control entry. This entry allows the user to create and delete ACLs for the given cluster. 

!> **Caution**: An ACL administrator can then create ACLs for any other principal, including themselves.  

### Manually Add ACLs
Add the alter cluster ACL to the `gitops-user` principal:

```bash
kafka-acls --bootstrap-server localhost:9092 --command-config admin.properties \
--add --allow-principal User:gitops-user \
--operation  ALTER --cluster
```

Add the ACLs needed to manage topics to the `gitops-user` principal:

```bash
kafka-acls --bootstrap-server localhost:9092 --command-config admin.properties --add \
--allow-principal User:gitops-user --operation Create --operation Delete \
--operation DescribeConfigs --operation AlterConfigs --operation Alter \
--operation Describe --topic '*'
```

The above configs allow the `gitops-user` to manage ACLs, topics, and topic configurations.

### State File Definition
You can also create the ACLs using kafka-gitops. Run it once with super admin credentials using the state file below, and then switch to using your `gitops-user` credentials.

```yaml
users:
  gitops-user:
    principal: User:gitops-user

customUserAcls:
  gitops-user:
    alter-cluster:
      name: kafka-cluster
      type: CLUSTER
      pattern: LITERAL
      host: "*"
      operation: ALTER
      permission: ALLOW
    create-topics:
      name: "*"
      type: TOPIC
      pattern: LITERAL
      host: "*"
      operation: CREATE
      permission: ALLOW
    alter-topics:
      name: "*"
      type: TOPIC
      pattern: LITERAL
      host: "*"
      operation: ALTER
      permission: ALLOW
    describe-topics:
      name: "*"
      type: TOPIC
      pattern: LITERAL
      host: "*"
      operation: DESCRIBE
      permission: ALLOW
    delete-topics:
      name: "*"
      type: TOPIC
      pattern: LITERAL
      host: "*"
      operation: DELETE
      permission: ALLOW
    describe-topic-configs:
      name: "*"
      type: TOPIC
      pattern: LITERAL
      host: "*"
      operation: DESCRIBE_CONFIGS
      permission: ALLOW
    alter-topic-configs:
      name: "*"
      type: TOPIC
      pattern: LITERAL
      host: "*"
      operation: ALTER_CONFIGS
      permission: ALLOW
```