This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • Kafka Authorizations
Skip to end of metadata
Go to start of metadata


When implementing a custom Authorizer, one has to map authorization requests coming from Kafka to a different backend system.

 

The following table lists all the authorization combinations that can come from Kafka as of 2.0:


 TopicGroupCluster (singleton)TransactionalIdDelegationToken
ProduceWrite    
Produce (Idempotent)Write IdempotentWrite  
Produce (Transactional)Write  Write 

Fetch (Follower)

Read ClusterAction  
Fetch (Consumer)Read    
ListOffsetsDescribe    
MetadataDescribe    
LeaderAndIsr  ClusterAction  
StopReplica  ClusterAction  
UpdateMetadata  ClusterAction  
ControlledShutdown  ClusterAction  
OffsetCommitReadRead   
OffsetFetchDescribeDescribe   
FindCoordinator (Group) Describe   
FindCoordinator (Transaction)   Describe 
JoinGroup Read   
Heartbeat Read   
LeaveGroup Read   
SyncGroup Read   
DescribeGroups Describe   
ListGroups  Describe  
SaslHandshake     
ApiVersions     
CreateTopicsCreate (Added in 2.0) Create  

From 2.0 onwards, CREATE permission on Topic OR

CREATE permission on Cluster is required.

DeleteTopicsDelete    
DeleteRecordsDelete    
InitProducerId (Idempotent)  IdempotentWrite  
InitProducerId (Transaction)   Write 
OffsetsForLeaderEpoch  ClusterAction  
AddPartitionsToTxnWrite  Write 
AddOffsetsToTxn Read Write 
EndTxn   Write 
WriteTxnMarkers  ClusterAction  
TxnOffsetCommitReadRead Write 
DescribeAcls  Describe  
CreateAcls  Alter  
DeleteAcls  Alter  
DescribeConfigs (Broker)  DescribeConfigs  
DescribeConfigs (Topic)DescribeConfigs    

AlterConfigs (Broker)

  AlterConfigs  
AlterConfigs (Topic)AlterConfigs    
AlterReplicaLogDirs  Alter  
DescribeLogDirs  Describe  
SaslAuthenticate     
CreatePartitionsAlter    
CreateDeletegationToken     
RenewDelegationToken     
ExpireDelegationToken     
DescribeDelegationTokens    Describe
DeleteGroups Delete   


The following table lists all the authorization combinations that can come from Kafka as of 1.1.0:

 

 TopicGroupCluster (singleton)TransactionalIdDelegationToken
ProduceWrite    
Produce (Idempotent)Write IdempotentWrite  
Produce (Transactional)Write  Write 

Fetch (Follower)

Read ClusterAction  
Fetch (Consumer)Read    
ListOffsetsDescribe    
MetadataDescribe    
LeaderAndIsr  ClusterAction  
StopReplica  ClusterAction  
UpdateMetadata  ClusterAction  
ControlledShutdown  ClusterAction  
OffsetCommitReadRead   
OffsetFetchDescribeDescribe   
FindCoordinator (Group) Describe   
FindCoordinator (Transaction)   Describe 
JoinGroup Read   
Heartbeat Read   
LeaveGroup Read   
SyncGroup Read   
DescribeGroups Describe   
ListGroups  Describe  
SaslHandshake     
ApiVersions     
CreateTopics  Create  
DeleteTopicsDelete    
DeleteRecordsDelete    
InitProducerId (Idempotent)  IdempotentWrite  
InitProducerId (Transaction)   Write 
OffsetsForLeaderEpoch  ClusterAction  
AddPartitionsToTxnWrite  Write 
AddOffsetsToTxn Read Write 
EndTxn   Write 
WriteTxnMarkers  ClusterAction  
TxnOffsetCommitReadRead Write 
DescribeAcls  Describe  
CreateAcls  Alter  
DeleteAcls  Alter  
DescribeConfigs (Broker)  DescribeConfigs  
DescribeConfigs (Topic)DescribeConfigs    

AlterConfigs (Broker)

  AlterConfigs  
AlterConfigs (Topic)AlterConfigs    
AlterReplicaLogDirs  Alter  
DescribeLogDirs  Describe  
SaslAuthenticate     
CreatePartitionsAlter    
CreateDeletegationToken     
RenewDelegationToken     
ExpireDelegationToken     
DescribeDelegationTokens    Describe
DeleteGroups Delete   
  • No labels