Closed marcojck closed 3 years ago
https://github.com/linkedin/cruise-control/issues/1413 - maybe this issue could be helpful for you
1413 - maybe this issue could be helpful for you
Hi! Yes, some helpful information indeed! But unfortunately, this issue doesn't mention anything about which permissions CC needs in order to execute cluster optimizations, such as partition rebalance...
Thanks anyway!
additionally, it's necessary to CC acl user to have DESCRIBE permissions for all topics. For rebalance execution CC acl user should have DESCRIBE and ALTER permissions to CLUSTER resource too.
@marcojck my current acls list for CC user - cruisecontrol
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=*, patternType=LITERAL)`:
(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__CruiseControlMetrics, patternType=LITERAL)`:
(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=cruisecontrol., patternType=PREFIXED)`:
(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DELETE, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=CLUSTER, name=kafka-cluster, patternType=LITERAL)`:
(principal=User:cruisecontrol, host=*, operation=ALTER, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=IDEMPOTENT_WRITE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=CREATE, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__KafkaCruiseControlPartitionMetricSamples, patternType=LITERAL)`:
(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__KafkaCruiseControlModelTrainingSamples, patternType=LITERAL)`:
(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=cruisecontrol., patternType=PREFIXED)`:
(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DELETE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=CREATE, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TRANSACTIONAL_ID, name=cruisecontrol., patternType=PREFIXED)`:
(principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
(principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
With this acls i'm be able to write metrics from metrics exporter on brokers, read them on cruise control and execute rebalanced and other administrative actions from CC ui.
Thanks a lot @Ubun1 !!!! This is exactly what I need to know!!!
Hi! I've both a TLS SASL/Scram Kafka secure cluster and a TLS SASL/Digest Zookeeper secure ensemble. Additionally, Kafka is configured with
zookeeper.set.acl=true
, so all znodes created by the cluster are protected.So, in order to execute optimizations and rebalances with Cruise Control:
Thanks!