search

linkedin / cruise-control

Cruise-control is the first of its kind to fully automate the dynamic workload rebalance and self-healing of a Kafka cluster. It provides great value to Kafka users by simplifying the operation of Kafka clusters.
https://github.com/linkedin/cruise-control/tags
BSD 2-Clause "Simplified" License
2.74k stars 587 forks source link

Cruise Control user permissions on a secured Kafka Cluster #1462

Closed marcojck closed 3 years ago

marcojck commented 3 years ago

Hi! I've both a TLS SASL/Scram Kafka secure cluster and a TLS SASL/Digest Zookeeper secure ensemble. Additionally, Kafka is configured with zookeeper.set.acl=true, so all znodes created by the cluster are protected.

So, in order to execute optimizations and rebalances with Cruise Control:

Thanks!

Ubun1 commented 3 years ago

https://github.com/linkedin/cruise-control/issues/1413 - maybe this issue could be helpful for you

marcojck commented 3 years ago

1413 - maybe this issue could be helpful for you

Hi! Yes, some helpful information indeed! But unfortunately, this issue doesn't mention anything about which permissions CC needs in order to execute cluster optimizations, such as partition rebalance...

Thanks anyway!

Ubun1 commented 3 years ago

additionally, it's necessary to CC acl user to have DESCRIBE permissions for all topics. For rebalance execution CC acl user should have DESCRIBE and ALTER permissions to CLUSTER resource too.

Ubun1 commented 3 years ago

@marcojck my current acls list for CC user - cruisecontrol

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=*, patternType=LITERAL)`: 
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__CruiseControlMetrics, patternType=LITERAL)`: 
    (principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=cruisecontrol., patternType=PREFIXED)`: 
    (principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DELETE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=CLUSTER, name=kafka-cluster, patternType=LITERAL)`: 
    (principal=User:cruisecontrol, host=*, operation=ALTER, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=IDEMPOTENT_WRITE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=CREATE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__KafkaCruiseControlPartitionMetricSamples, patternType=LITERAL)`: 
    (principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__KafkaCruiseControlModelTrainingSamples, patternType=LITERAL)`: 
    (principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=cruisecontrol., patternType=PREFIXED)`: 
    (principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DELETE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=READ, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=CREATE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TRANSACTIONAL_ID, name=cruisecontrol., patternType=PREFIXED)`: 
    (principal=User:cruisecontrol, host=*, operation=WRITE, permissionType=ALLOW)
    (principal=User:cruisecontrol, host=*, operation=DESCRIBE, permissionType=ALLOW)

With this acls i'm be able to write metrics from metrics exporter on brokers, read them on cruise control and execute rebalanced and other administrative actions from CC ui.

marcojck commented 3 years ago

Thanks a lot @Ubun1 !!!! This is exactly what I need to know!!!