1

I am using Kafka's default ACL authorizer, but recently I came across a topic of custom ACL authorizer.

I did checked for that, but couldn't find much details on it. I would like to understand:

  1. Isn't default ACL authorizer is good enough to use in production?
  2. Any example which I can refer to understand what custom ACL authorizer should do?

Thanks!

Giorgos Myrianthous
  • 36,235
  • 20
  • 134
  • 156
Tushar H
  • 755
  • 11
  • 29

1 Answers1

3

1) Yes you can run the default Authorizer in production.

2) Kafka allows administrators to plug a custom Authorizer implementation. This allows to store ACLs in another system than Zookeeper.

For example, most Cloud providers have Identify and Access Management (IAM). In this case, it's possible to reuse this IAM service to store and manage Kafka ACLs and write an Authorizer that uses ACLs from IAM instead of Zookeeper.

More generally, with a custom Authorizer, you can write any authorization rules you want. As a custom Authorizer can access the Session's Principal this allows building very flexible and powerful rules when combined with a custom PrincipalBuilder (principal.builder.class).

Mickael Maison
  • 25,067
  • 7
  • 71
  • 68
  • Thanks @Mickael. In kafka-acls.sh syntax I saw that we can assign an acl rule to a user, instead of this I want to assign an ACL rule for a specific user group, is it possible? – Tushar H Jun 19 '19 at 12:33
  • With the default authorizer I'm not sure but you cna do that with a custom authorizer and principal builder. – Mickael Maison Jul 01 '19 at 10:29