Is there a way to restrict to post message to particular topic?

[raje143r]

Hi, Could you please suggest if there is way to restrict access/publish to specific topic (for ex: TestTopic) only. Even if ececute get method to list return only specific topic. Thanks in advance

[scholzj]

In general, you have two options:

• You can limit it on the Kafka connection between the TTP Bridge and the Kafka cluster using Kafka ACLs
• You can front it with some API gateway - but this will not sort listing of topics probably => it will list all topics the Kafka user has access to.

[raje143r]

Thanks for your response. Above two options are restricted to connection. But is there any configuration to send message to specific topic. for ex: I have 5 topics like TestTopic1, TestTopic2, TestTopic3, TestTopic4, TestTopic5, I allocated TestTopic3 to my rest client. So I have to restrict my rest client to publish message only to TestTopic3. and my rest client should get error(like : not authorized to publish message etc) if try to send any other topics like(TestTopic1,TestTopic2,TestTopic4,TestTopic5),

Thanks in advance

[scholzj]

I think you can achieve that with both of the options for producing and consuming. The main difference is that if you use the first method and use Kafka authorization, anyone who can connect to the HTTP Bridge will be able to send to TestTopic3. With the second method, you can control that for example userA can send to TestTopic3 and userB can send to TestTopic5. So it allows you to do more, but it will be harder to setup.

For the first option, you just need to configure the authentication in the Bridge and authentication and authorization in your Kafka cluster. If you use Strimzi also for your Kafka cluster, you can check the security examples here: https://github.com/strimzi/strimzi-kafka-operator/tree/main/examples/security

[raje143r]

Thanks for the information. Currently enabled authentication and I believe we can control to produce mesaage to specific topic by defining resource/name, resource/value along with operation in the kafka bridge yaml . For ex: Resource: Name:topic Topic: TestTopic3 Operation:write Thanks in advance

On Sun, 28 Nov 2021, 06:16 Jakub Scholz, @.***> wrote:

I think you can achieve that with both of the options for producing and consuming. The main difference is that if you use the first method and use Kafka authorization, anyone who can connect to the HTTP Bridge will be able to send to TestTopic3. With the second method, you can control that for example userA can send to TestTopic3 and userB can send to TestTopic5. So it allows you to do more, but it will be harder to setup.

For the first option, you just need to configure the authentication in the Bridge and authentication and authorization in your Kafka cluster. If you use Strimzi also for your Kafka cluster, you can check the security examples here: https://github.com/strimzi/strimzi-kafka-operator/tree/main/examples/security

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/strimzi/strimzi-kafka-bridge/issues/559#issuecomment-980814395, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGRYI2PSYETXNQ6KLIGJXM3UOF3VFANCNFSM5I4I7GVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[scholzj]

You cannot do that in the Kafka bridge. That has to be configured for the user used by the Bridge.

[raje143r]

Thanks Jakub for your quick reply. I referred bridge.yaml it has configured both kafkauser and kafkabridge.. That will help..

Thanks in advance

On Sun, 28 Nov 2021, 18:03 Jakub Scholz, @.***> wrote:

You cannot do that in the Kafka bridge. That has to be configured for the user used by the Bridge.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/strimzi/strimzi-kafka-bridge/issues/559#issuecomment-981077915, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGRYI2KE6U4NIIBWM2E6XTDUOIOTHANCNFSM5I4I7GVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[scholzj]

Right, it is in the bridge.yaml. But the KafkaUser configures the Kafka cluster - not the bridge. You can just deploy the resources together.

[raje143r]

Thanks Jakub

On Sun, 28 Nov 2021, 20:11 Jakub Scholz, @.***> wrote:

Right, it is in the bridge.yaml. But the KafkaUser configures the Kafka cluster - not the bridge. You can just deploy the resources together.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/strimzi/strimzi-kafka-bridge/issues/559#issuecomment-981097114, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGRYI2N3UO7X5RR32CKZH2LUOI5RZANCNFSM5I4I7GVQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[raje143r]

Hi Jakub,

sorry for the delay in response. We have tried by adding kafkauser and kafkabride. but still we were able to create topic and write to that specific topic even if there is no operation declared for that. Below is my kafkauser yaml

apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: my-kafkuser labels: strimzi.io/cluster: my-cluster spec: authorization: type: simple acls:

Topics and groups used by the HTTP clients through the HTTP Bridge

# Change to match the topics used by your HTTP clients
- resource:
    type: group
    name: my-group
  operation: Read
- resource:
    type: topic
    name: testing-topic
  operation: Read
- resource:
    type: topic
    name: testing-topic
  operation: Describe

1) Do i need to setup anything in the server.properties of the broker? like below authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer allow.everyone.if.no.acl.found=true 2) How kafkauser will validate the user if any message published to testing-topic

Thanks in advance

[scholzj]

You need to enable authorization and authentication in the Kafka cluster and use the authentication in the Kafka Bridge. You did not shared the custom resources for those, so it is hard to say if you have everything correct or not. We have security examples with authentication and authorization here on GitHub -> so you can check the code there.

Also, when sharing the resources, you have to properly format them as code. Without it, it is not clear if the resource is correct or not -> for example with the KafkaUser above, nobody can see if the whitespaces and indentation are correct.