AclCommand Administration Utility

AclCommand is an administration utility for ACL management using AdminClient API.

AclCommand is executed using kafka-acls.sh shell script.

Table 1. Options
Option Description

add

Adding ACLs

allow-host

Host from which principals listed in --allow-principal will have access

* indicates access allowed from all hosts

deny-host

Host from which principals listed in --deny-principal will be denied access

* indicates access denied from all hosts

allow-principal

Principal is in principalType:name format

authorizer

Fully-qualified class name of the Authorizer

authorizer-properties

(required) key=val pairs to configure the authorizer

bootstrap-server

(required) Brokers to connect to as a comma-separated list of host:port URLs

cluster

Add/Remove cluster ACLs

command-config

Property file with configs to be passed to Admin Client

consumer

Convenience option to add/remove ACLs for consumer role that generates ACLs that allow READ,DESCRIBE on topic and READ on group

delegation-token

Delegation token to which ACLs should be added or removed

* indicates all tokens

deny-principal

Principal is in principalType:name format

force

Assume Yes to all queries and do not prompt

group

Consumer Group to which the ACLs should be added or removed

* indicates all groups

help

Prints usage information

idempotent

Enables idempotence for the producer

Used in combination with the --producer option

Idempotence is enabled automatically if the producer is authorized to a particular transactional-id

list

List ACLs for the specified resource

Use --topic, --group or --cluster to specify a resource

operation

Operation that is being allowed or denied

Default: All

Supported operations:

  • All

  • Alter

  • AlterConfigs

  • ClusterAction

  • Create

  • Delete

  • Describe

  • DescribeConfigs

  • IdempotentWrite

  • Read

  • Write

principal

List ACLs for the specified principal (in principalType:name format)

producer

Convenience option to add/remove ACLs for producer role that generates ACLs that allow WRITE,DESCRIBE and CREATE on topic

remove

Removing ACLs

resource-pattern-type

Type of the resource pattern or pattern filter

Default: literal

  • When adding acls, this should be a specific pattern type, e.g. 'literal' or 'prefixed'.

  • When listing or removing acls, a specific pattern type can be used to list or remove acls from specific resource patterns, or use the filter values of 'any' or 'match', where 'any' will match any pattern type, but will match the resource name exactly, where as 'match' will perform pattern matching to list or remove all acls that affect the supplied resource(s).

Warning
Use with care with 'match' and --remove option.

topic

Topic to which ACLs should be added or removed

* indicates all topics

transactional-id

The transactionalId to which ACLs should be added or removed

* indicates all transactionalIds

version

Displays Kafka version

AclCommand uses AdminClientService (when executed with --bootstrap-server option) or AuthorizerService.

kafka-acls.sh requires Authorizer to be configured on a broker (when executed with --bootstrap-server option) or throws a SecurityDisabledException:

// kafka-acls.sh --list --bootstrap-server :9092
Error while executing ACL command: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured on the broker

Executing Standalone Application — main Object Method

main(args: Array[String]): Unit

main is the entry point of the AclCommand when launched on command line (e.g. using kafka-acls.sh shell script).

Internally, main reads the options from the command line.

main prints out the following for no command-line options, --help or --version:

This tool helps to manage acls on kafka

main selects the command service between AdminClientService when --bootstrap-server is used and AuthorizerService otherwise.

In the end, main requests the command service to add, remove or list ACLs based on --add, --remove or --list command-line options, respectively.

getFilteredResourceToAcls Internal Method

getFilteredResourceToAcls(
  authorizer: Authorizer,
  filters: Set[ResourcePatternFilter],
  listPrincipal: Option[KafkaPrincipal] = None
): Iterable[(Resource, Set[Acl])]

getFilteredResourceToAcls…​FIXME

Note
getFilteredResourceToAcls is used when…​FIXME

removeAcls Internal Method

removeAcls(
  authorizer: Authorizer,
  acls: Set[Acl],
  filter: ResourcePatternFilter): Unit

removeAcls…​FIXME

Note
removeAcls is used when…​FIXME

results matching ""

    No results matching ""