The access control list (ACL) feature of Message Queue for Apache Kafka allows you to authorize Simple Authentication and Security Layer (SASL) users to send messages to and consume messages in Message Queue for Apache Kafka.

Prerequisites

Your Message Queue for Apache Kafka instance must meet the following conditions:
  • The edition of the instance is Professional Edition.
  • The instance is in the Running state.
  • The major version of the instance is 2.2.0 or later. For more information about how to upgrade the major version, see Major version upgrade.
  • The minor version of the instance is the latest version. For more information about how to update the minor version, see Minor version upgrade.
Notice The default SASL user of a Message Queue for Apache Kafka instance is used for identity authentication. The default SASL user has the permissions to read data from and write data to all topics and consumer groups created in the instance. If you want to implement fine-grained permission control, you must enable the ACL feature, create an SASL user, and then grant permissions on specific resources to the SASL user as required. After you enable the ACL feature, the permissions of the default SASL user become invalid.

Background information

Enterprise A has purchased a Message Queue for Apache Kafka instance. The enterprise wants User A to only consume messages from all topics of the Message Queue for Apache Kafka instance. The enterprise does not want User A to send messages to the topics of the Message Queue for Apache Kafka instance.

Step 1: Enable the ACL feature

After you update the minor version of your instance, enable the ACL feature for the instance in the Message Queue for Apache Kafka console.

  1. Log on to the Message Queue for Apache Kafka console.
  2. In the Resource Distribution section of the Overview page, select the region where your instance resides.
  3. On the Instances page, click the name of the instance that you want to manage.
  4. On the Instance Details page, click Enable ACL in the upper-right corner of the Overview section.
  5. In the Note message, click OK. Then, refresh the Instance Details page.
    After you manually refresh the Instance Details page, the value of the Status parameter for the instance is displayed as Upgrading in the Basic Information section. When the value of the Status parameter for the instance becomes Running, the ACL feature is enabled.
    Notice You can enable the ACL feature only after the minor version of the instance is updated. Then, you can create an SASL user and grant the user the required permissions. The SASL user can access the instance by using the SASL endpoint. The update may take 15 to 20 minutes.

Step 2: Create an SASL user

After you enable the ACL feature for the instance, create an SASL user for User A.

  1. Log on to the Message Queue for Apache Kafka console.
  2. In the Resource Distribution section of the Overview page, select the region where your instance resides.
  3. On the Instances page, click the name of the instance for which you have enabled the ACL feature.
  4. On the Instance Details page, click the Manage SASL Users tab.
  5. On the Manage SASL Users tab, click Create SASL User.
  6. In the Create SASL User panel, set the parameters that are described in the following table and click OK.
    Create an SASL user
    Parameter Description
    Username The name of the SASL user.
    User Type Message Queue for Apache Kafka supports the following SASL mechanisms:
    • PLAIN: a simple username and password verification mechanism. Message Queue for Apache Kafka provides an improved PLAIN mechanism that allows you to dynamically create SASL users without the need to restart the instance.
    • SCRAM: a username and password verification mechanism that provides greater security protection than PLAIN. Message Queue for Apache Kafka uses SCRAM-SHA-256.
    Password The password of the SASL user.
    Confirm Password The same password of the SASL user. You must enter the password again to confirm it.
    The SASL user that you created appears in the lower part of the Manage SASL Users tab.
    • If you need to change the password of the SASL user, click Change Password in the Actions column. In the Change Password of SASL User panel, set the New Password and Confirm Password parameters. Click OK.
    • If you need to delete the SASL user, click Delete in the Actions column.

Step 3: Grant permissions to the SASL user

After you create an SASL user for User A, grant the SASL user permissions to read messages from topics and consumer groups.

  1. On the Instance Details page, click the Manage SASL User Permissions tab.
  2. On the Manage SASL User Permissions tab, click Grant Permission.
  3. In the Grant Permission panel, set the parameters that are described in the following table and click OK.
    Permission configuration
    Parameter Description
    Username The name of the SASL user. Message Queue for Apache Kafka supports asterisks (*). You can use an asterisk (*) to represent all usernames.
    Resource Type The type of resource. Message Queue for Apache Kafka allows you to grant permissions on the following types of resources to an SASL user:
    • Topic: topic.
    • Group: consumer group.
    • Cluster: cluster.
    • TransactionalId: transaction.
    Matching Mode The mode used to match resources. Message Queue for Apache Kafka supports the following matching modes:
    • Exact Match: The resource with the specified full name is matched.
    • Prefix Match: Resources whose names start with the specified prefix are matched.
    Resource Name The name of the topic, group, or cluster, or the ID of the transaction. This parameter specifies the resource on which permissions are to be granted. Message Queue for Apache Kafka supports asterisks (*). You can use an asterisk (*) to represent all resources.
    Action Type The type of the permission to be granted. Message Queue for Apache Kafka supports the following permission types:
    • Write
    • Read
    • Idempotent Write Operations
    Notice
    • If you set the Resource Type parameter to Group, you must set this parameter to Read.
    • If you set the Resource Type parameter to Cluster, you must set this parameter to Idempotent Write Operations.
    After you grant the permissions to the SASL user, you can set the Resource Type, Matching Mode, Resource Name, and Username parameters on the Manage SASL User Permissions tab. You can also click Search to query the permissions granted to the SASL user.

What to do next

After you grant the SASL user the required permissions, User A can connect to Message Queue for Apache Kafka by using the SASL endpoint and use the PLAIN mechanism to consume messages. For more information about how to use an SDK to connect to Message Queue for Apache Kafka, see Overview.