Skip to content

Kafka ACL groups

If an external Kafka client connects via the Kafka Proxy, it receives the full set of permissions granted to the tenant by default. As a consequence, the external Kafka client can access all the Kafka topics (of type “scratch”) and DSH streams that the tenant can access, which isn’t ideal. Using ACL Groups, you can add more security.

The mechanism works as follows:

  • In the Tenant Management API, you can limit the Kafka topics of type “scratch” and DSH streams that an external Kafka client can access:
    • You can activate the “ACL Groups” mechanism for the Kafka Proxy, via the enableKafkaAclGroups key in its configuration.
    • You can create, edit and delete ACL Groups.
    • If you activated the “ACL Groups” mechanism and created ACL groups, then a Kafka client can only gain access to topics and DSH streams if it uses the correct ID of an ACL Group in the “OU” field of its client certificate.
    • The permissions of the external Kafka client are the intersection of the tenant’s permissions, and the permissions in the ACL Group.
  • These ACL Groups consist of the following:
    • A unique ID
    • An array of Kafka topics (of type “scratch”) and DSH streams that an external Kafka client can read from
    • An array of Kafka topics (of type “scratch”) and DSH streams that an external Kafka client can write to
  • See Kafka Proxy for more information about the exact mechanism.

Warning

ACL Groups are very powerful, and it’s recommended to only use them if you’re aware of the consequences and risks:

  • They can greatly improve the security of the Kafka Proxy and external Kafka clients.
  • At the same time, the mechanism fails silently if you set it up incorrectly.
  • Possible points of failure are the permissions in the ACL Group, the contents of the “OU” field in the client certificate, and the intersection of the tenant’s permissions and the permissions in the ACL Group.

Limit

The DSH imposes the following limit on ACL Groups:

  • Maximum number of Kafka ACL Groups: The maximum number of ACL Groups that your tenant can contain. The default limit is “10”.

You can request a new limit:

  1. Click the “Support” button in the menu bar of the DSH Console. Log in to the DSH Support Portal if necessary.
  2. Click “New support ticket” next to the search bar.
  3. Fill out the following fields:
    • Tenant: Enter the name of your tenant.
    • Platform: In the dropdown menu, select the platform that you want to request ACL Groups for.
    • Requester: Enter your email address, or use the prefilled address of your account for the DSH Support Portal.
    • Company: In the dropdown menu, select the company that you request the ACL Groups for.
    • Subject: Enter ‘Request new limit for Kafka ACL Groups’.
    • Contents: Provide the necessary information, and don’t forget to mention the number of ACL Groups that you want to request.
    • Attach a file: Optionally, you can provide the information in a file and attach it to the ticket.
  4. Click “Submit” to send the request. A platform administrator will process it.

Managing ACL Groups

All management of ACL Groups takes place via the Tenant Management API.