search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.28k stars 637 forks source link

Which ACLs are required for the KafkaUser used by AKHQ to access Kafka cluster ? #993

Open thibthibus opened 2 years ago

thibthibus commented 2 years ago

Hi,

I don't find in the documentation the requirements regarding the ACLs for the KafkaUser used by AKHQ to access Kafka cluster. In our experimentations we ended up with this configuration:

    acls:
      # Add read access to relevant topics here
      - resource:
          type: topic
          name: ch-kafka-example.topic
          patternType: literal
        operation: Read
      - resource:
          type: topic
          name: ch-kafka-example.topic
          patternType: literal
        operation: DescribeConfigs
      # Cluster permission is necessary for AKHQ
      - resource:
          type: cluster
          name: cluster-main
          patternType: literal
        operation: Describe
      # Consumer Groups
      - resource:
          type: group
          name: '*'
          patternType: literal
        operation: Describe
      # KafkaAKHQConsumer
      - resource:
          type: group
          name: akhq-consumer
          patternType: prefix
        operation: Read

I don't understand however why the last 2 ACLs are required. I tried to remove the Describe ConsumerGroup '*' and replaced it with a more restrictive permission (only to a specific consumer group prefix) but it gives an error in AKHQ as apparently it tries to go through all available consumer groups. Regarding the last one, I wonder if it is really required as I don't see this consumer group at all... (but maybe it's hidden by default in AKHQ)

As we want to give more permissions on some AKHQ instances, we need to be sure that the users will only see the topics & consumer groups for which they're authorized.

Thanks for your help on this

Thibaut

thibthibus commented 2 years ago

Maybe this is redundant with Issue #908 ...

tchiotludo commented 2 years ago

maybe also but maybe one of you can add the documentation ? To be honest I always use an allow all user to connect to kafka. If someone can add the doc, I will be grateful

thibthibus commented 2 years ago

Salut Ludovic,

Ok I understand, we need specifically to restrict these admin features of AKHQ. Where would you see this part in the existing doc ? I can try to contribute, for sure.

Regards,

Thibaut

tchiotludo commented 2 years ago

There is no existing page on that for now ;) You have a full white page for you :smile: