search

seglo / kafka-lag-exporter

Monitor Kafka Consumer Group Latency with Kafka Lag Exporter
Apache License 2.0
651 stars 191 forks source link

list out permissions #42

Closed pimpelsang closed 4 years ago

pimpelsang commented 5 years ago

Which ACL permissions kafka-lag-exporter kafka account requires?

pimpelsang commented 5 years ago

answering myself, whoever needs it in future.

It needs DESCRIBE on group and cluster level. Like this: kafka-acls --add --allow-principal User:kafka-lag-exporter --operation DESCRIBE --group '*' --cluster

seglo commented 5 years ago

Thanks @pimpelsang . I'll add this to the docs in the next release.

endofcake commented 4 years ago

@pimpelsang, looks like it also needs DESCRIBE on topics. The final ACLs that worked for me are:

ACLs for principal `User:kafka-lag-exporter`
Current ACLs for resource `Cluster:LITERAL:kafka-cluster`: 
    User:kafka-lag-exporter has Allow permission for operations: Describe from hosts: * 

Current ACLs for resource `Group:LITERAL:*`: 
    User:kafka-lag-exporter has Allow permission for operations: Describe from hosts: * 

Current ACLs for resource `Topic:LITERAL:*`: 
    User:kafka-lag-exporter has Allow permission for operations: Describe from hosts: *

The command can look like:

kafka-acls --add --allow-principal "User:kafka-lag-exporter" --operation DESCRIBE --group '*' --topic '*' --cluster
seglo commented 4 years ago

I finally got around to this in #152. Thank you.