The access control list (ACL) feature of Message Queue for Apache Kafka allows you to authorize Simple Authentication and Security Layer (SASL) users to send and subscribe to messages in Message Queue for Apache Kafka .

Prerequisites

Your Message Queue for Apache Kafka instance must meet the following conditions:
  • The edition of the instance is the Professional Edition.
  • The instance is in the Running state.
  • The major version of the instance is 2.2.0 or later. For more information about how to upgrade the major version, see Upgrade the major version of an instance.
  • The minor version of the instance is the latest version. For more information about how to upgrade the minor version, see Upgrade the minor version of an instance.
Notice The default SASL user of an instance of the Internet and VPC type has no permissions to perform operations. After the ACL feature is enabled, the default SASL user of an instance of the Internet and VPC type cannot send or subscribe to messages because the default SASL user has no required permissions. You must grant the default SASL user the read and write permissions on all topics and consumer groups of the instance.

Background information

Enterprise A has purchased a Message Queue for Apache Kafka instance. The enterprise wants User A to only consume messages from all topics of the Message Queue for Apache Kafka instance. The enterprise does not want User A to send messages to the topics of the Message Queue for Apache Kafka instance.

Step 1: Enable the ACL feature

After you upgrade the minor version of an instance, enable the ACL feature for the instance in the Message Queue for Apache Kafka console.

  1. Log on to the Message Queue for Apache Kafka console.
  2. In the Resource Distribution section of the Overview page, select the region where your instance resides.
  3. On the Instances page, click the name of the instance that you want to manage.
  4. On the Instance Details page, click Enable ACL in the upper-right corner of the Overview section.
  5. In the Note message, click OK. Then, refresh the Instance Details page.
    After you manually refresh the Instance Details page, the value of Status for the instance is Upgrading in the Basic Information section. When the value of Status for the instance becomes Running, the ACL feature is enabled.
    Notice You can enable the ACL feature only after the minor version of the instance is upgraded. Then, you can create an SASL user and grant the user the required permissions. The SASL user can access the instance by using the SASL endpoint. The upgrade may take 15 to 20 minutes.

Step 2: Create an SASL user

After you enable the ACL feature for the instance, create an SASL user for User A.

  1. Log on to the Message Queue for Apache Kafka console.
  2. In the Resource Distribution section of the Overview page, select the region where your instance resides.
  3. On the Instances page, click the name of the instance for which you have enabled the ACL feature.
  4. On the Instance Details page, click the Manage SASL Users tab.
  5. On the Manage SASL Users tab, click Create SASL User.
  6. In the Create SASL User panel, set the parameters and click OK.
    pg_create_sasl_user
    Parameter Description
    Username The name of the SASL user.
    User Type Message Queue for Apache Kafka supports the following SASL mechanisms:
    • PLAIN: a simple username and password verification mechanism. Message Queue for Apache Kafka provides an improved PLAIN mechanism that allows you to dynamically add SASL users without the need to restart the instance.
    • SCRAM: a username and password verification mechanism that provides higher security than PLAIN. Message Queue for Apache Kafka uses SCRAM-SHA-256.
    Password The password of the SASL user.
    Confirm Password The same password of the SASL user. You must enter the password again to confirm it.
    The SASL user that you created appears in the lower part of the Manage SASL Users tab.
    • If you need to change the password of the SASL user, click Change Password in the Actions column. In the Change Password of SASL User panel, set New Password and Confirm Password. Click OK.
    • If you need to delete the SASL user, click Delete in the Actions column.

Step 3: Grant permissions to the SASL user

After you create an SASL user for User A, grant the SASL user permissions to read messages from topics and consumer groups.

  1. On the Instance Details page, click the Manage SASL User Permissions tab.
  2. On the Manage SASL User Permissions tab, click Grant Permission.
  3. In the Grant Permission panel, set the parameters that are described in the following table and click OK.
    pg_read_from_Topic
    Parameter Description
    Username The name of the SASL user. Message Queue for Apache Kafka supports asterisks (*). You can use an asterisk to represent all usernames.
    Resource Type Message Queue for Apache Kafka allows you to grant permissions on the following resource types:
    • Topic: message topics.
    • Group: consumer groups.
    Matching Mode Message Queue for Apache Kafka supports the following matching modes:
    • Exact Match: matches resources by literal value. In this mode, only resources with the same name are matched.
    • Prefix Match: matches resource names by prefix. In this mode, a resource name that starts with the specified prefix is matched.
    Resource Name The name of the resource. The value can be the name of a topic or consumer group. Message Queue for Apache Kafka supports asterisks (*). You can use an asterisk to represent all resource names.
    Action Type Message Queue for Apache Kafka supports the following types of operations:
    • Write
    • Read
    Notice If you set the Resource Type parameter to Group, you must set the Permission parameter to Read.
    After you grant the permissions to the SASL user, you can set Resource Type, Matching Mode, Resource Name, and Username on the Manage SASL User Permissions tab. You can click Search to query the permissions granted to the SASL user.

What to do next

After you grant the SASL user the required permissions, User A can connect to Message Queue for Apache Kafka by using the SASL endpoint and use the PLAIN mechanism to consume messages. For more information about how to use an SDK, see SDK overview.