0

Do we have any python client for managing Kafka ACL? I know we have Java Admin client and same can be performed using Kafka scripts (kafka-acl.sh) but cannot find one for python client. confluent python library doesn't support it. Came across kafka-python but as per documentation it doesn't support creating ACL for existing topics.

Vikash Mishra
  • 123
  • 2
  • 10
  • You could always use `os.subprocess` to call existing Kafka CLI commands. But I think it'd be a better idea to externalize the ACLs to a different solution like Apache Ranger or openpolicyagent – OneCricketeer May 23 '22 at 12:27

1 Answers1

0
Use kafka-python lib
configure acl, new add, example:

User user1 has read access to topic2 and group2 groups (consumer)

User user2 has write permission on topic2 (producer)

from kafka.admin import KafkaAdminClient, ACLPermissionType, ResourcePattern, ResourceType, ACL, ACLOperation, ACLFilter

brokers = 'localhost:9092'

admin = KafkaAdminClient(
    bootstrap_servers=brokers,
    security_protocol='SASL_PLAINTEXT',
    sasl_mechanism='SCRAM-SHA-512',
    sasl_plain_username='admin',      # your privileged user
    sasl_plain_password='admin12345'  # password
)


acl1 = ACL(
    principal="User:user1",
    host="*",
    operation=ACLOperation.READ,
    permission_type=ACLPermissionType.ALLOW,
    resource_pattern=ResourcePattern(ResourceType.TOPIC, 'topic2')
)
acl2 = ACL(
    principal="User:user1",
    host="*",
    operation=ACLOperation.READ,
    permission_type=ACLPermissionType.ALLOW,
    resource_pattern=ResourcePattern(ResourceType.GROUP, 'group2')
)
acl3 = ACL(
    principal="User:user2",
    host="*",
    operation=ACLOperation.WRITE,
    permission_type=ACLPermissionType.ALLOW,
    resource_pattern=ResourcePattern(ResourceType.TOPIC, 'topic2')
)


acls_result = admin.create_acls([acl1, acl2, acl3])
print(acls_result)
delete acls
from kafka.admin import KafkaAdminClient, ACLPermissionType, ResourcePattern, ResourceType, ACL, ACLOperation, ACLFilter

brokers = 'localhost:9092'

admin = KafkaAdminClient(
    bootstrap_servers=brokers,
    security_protocol='SASL_PLAINTEXT',
    sasl_mechanism='SCRAM-SHA-512',
    sasl_plain_username='admin',      # your privileged user
    sasl_plain_password='admin12345'  # password
)

delete_acls = admin.delete_acls(
    [
        ACLFilter(principal='User:user1',
                  host='*',
                  operation=ACLOperation.ANY,
                  permission_type=ACLPermissionType.ANY,
                  resource_pattern=ResourcePattern(ResourceType.TOPIC, 'topic2')),
        ACLFilter(principal='User:user1',
                  host='*',
                  operation=ACLOperation.ANY,
                  permission_type=ACLPermissionType.ANY,
                  resource_pattern=ResourcePattern(ResourceType.GROUP, 'group2'))
    ]

)

print(delete_acls)

The array submitted by admin.delete_acls, you can write multiple ACLFilters to find the acls to delete.

describe acls
acl_filter = ACLFilter(
    principal=None,
    host='*',
    operation=ACLOperation.ANY,
    permission_type=ACLPermissionType.ANY,
    resource_pattern=ResourcePattern(ResourceType.TOPIC,'topic2')
)

result = admin.describe_acls(acl_filter)
print(result)
ainy
  • 1
  • 1