This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.


Current state"Under Discussion"

Discussion thread

JIRA KAFKA-12715 - Getting issue details... STATUS

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).


Currently, adds the ACL rule, and the --allow-host field only supports IP and * options. If a user wants to set up authentication for a batch of IPs, multiple ACL rules need to be added. These IPs are usually in a network segment. I want to allow the network segment to be set in the host field of the ACL to authenticate. Any IP that allows a segment of the network will allow/deny access to the topic.

Public Interfaces

The public interface changes are mainly divided into two parts: command-line tools and server-side interfaces. The KIP interface changes are mainly on the command line. The bin/


  • bin/ --bootstrap-server --add --allow-principal User:test1 --allow-host --producer --topic topic
  • bin/ --bootstrap-server --add --allow-principal User:test1 --allow-host --producer --topic topic


  • bin/ --bootstrap-server --add --allow-principal User:test1 --allow-host --producer --topic topic --resource-pattern-type prefixed
  • bin/kafka-acls --bootstrap-server --add --allow-principal User:test1 --allow-host --producer --topic topic --resource-pattern-type prefixed

Command line parameter specification change:

--allow-host <String: allow-host>Host from which principals listed in --
allow-principal will have access. If
you have specified --allow-principal
then the default for this option
will be set to * which allows access
from all hosts.
Host from which principals listed in --allow-principal will have access. Host supports both IP and network segment formats. Eg: or If you have specified --allow-principal then the default for this option will be set to * which allows access from all hosts.

Proposed Changes

Command line code changes


Server code changes

In the matchingACLExists method of AclAuthorizer, the determination of host is modified to support network segments。

  private def matchingAclExists(operation: AclOperation,
                                resource: ResourcePattern,
                                principal: KafkaPrincipal,
                                host: String,
                                permissionType: AclPermissionType,
                                acls: AclSeqs): Boolean = {
        ( == host || == AclEntry.WildcardHost)

Compatibility, Deprecation, and Migration Plan


Rejected Alternatives


  • No labels