Use the ACL feature to grant different permissions to SASL users -

If you want to grant different permissions to different users or user groups, you can use the access control list (ACL) feature provided by ApsaraMQ for Kafka Professional Edition instances. The feature allows you to grant permissions on resources such as topics and groups to Simple Authentication and Security Layer (SASL) users to implement fine-grained permission management.

Usage notes

A default SASL user that is used only for authentication is provided by an ApsaraMQ for Kafka instance of the Internet- and virtual private cloud (VPC)- connected type. The default SASL user is granted the read and write permissions on all topics and groups on the instance. If you want to implement fine-grained permission control, you must enable the ACL feature, create a SASL user, and then grant the SASL user the permissions to send and receive messages in ApsaraMQ for Kafka based on your business requirements. After you enable the ACL feature, the permissions that are granted to the default SASL user become invalid.
After you enable the ACL feature, a topic is not automatically created if you send a message to your ApsaraMQ for Kafka instance without specifying a topic.

Limits

The edition of the instance is Professional Edition.
The major version of the instance is 2.2.0 or later. For information about how to upgrade the major version, see Upgrade the major version of an instance.
The minor version of the instance is the latest. For information about how to update the minor version, see Update the minor version of an instance.

Enable the ACL feature

Before you enable the ACL feature for an instance in the ApsaraMQ for Kafka console, make sure that the edition of the instance is Professional Edition.

Log on to the ApsaraMQ for Kafka console.
In the Resource Distribution section of the Overview page, select the region where the ApsaraMQ for Kafka instance that you want to manage resides.
On the Instances page, click the name of the instance that you want to manage.
On the Instance Details page, click Enable ACL in the upper-right corner of the Overview section.
In the Note message, click OK. Then, refresh the Instance Details page.
After you refresh the Instance Details page, the value of the Status parameter in the Basic Information section is displayed as Upgrading. When the value of the Status parameter becomes Running, the ACL feature is enabled.
Important
You can enable the ACL feature only after the minor version of the instance is updated. Then, you can create a SASL user and grant the user the required permissions. This way, you can use the SASL user to connect to the ApsaraMQ for Kafka instance by using the SASL endpoint. The update may take 15 to 20 minutes to complete.

Create a SASL user

Log on to the ApsaraMQ for Kafka console.
In the Resource Distribution section of the Overview page, select the region where the ApsaraMQ for Kafka instance that you want to manage resides.
On the Instances page, select the instance for which the ACL feature is enabled.
On the Instance Details page, click the Manage SASL Users tab.
On the Manage SASL Users tab, click Create SASL User.

In the Create SASL User panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Username	The name of the SASL user.
User Type	ApsaraMQ for Kafka supports the following SASL mechanisms: PLAIN: a simple mechanism that uses usernames and passwords to verify user identities. ApsaraMQ for Kafka provides an optimized PLAIN mechanism that allows you to dynamically create SASL users for an instance without the need to restart the instance. SCRAM: a mechanism that uses usernames and passwords to verify user identities. Compared with the PLAIN mechanism, this mechanism provides better security protection. ApsaraMQ for Kafka uses the SCRAM-SHA-256 algorithm to encrypt connections.
Password	The password of the SASL user.
Confirm Password	Enter the password of the SASL again to confirm the password.

The SASL user that you created is displayed on the Manage SASL Users tab.

If you want to change the password of the SASL user, click Change Password in the Actions column. In the Change Password of SASL User panel, configure the New Password and Confirm Password parameters. Then, click OK.
If you want to delete the SASL user, click Delete in the Actions column.

Grant permissions to the SASL user

On the Instance Details page, click Manage SASL User Permissions.
On the Manage SASL User Permissions tab, click Grant Permission.

In the Grant Permission panel, configure the parameters and click OK. The following table describes the parameters.

pg_read_from_Topic

Parameter	Description
Username	The name of the SASL user. ApsaraMQ for Kafka supports the use of asterisks () as wildcard characters. You can use an asterisk () to specify all usernames.
Resource Type	The resource type. ApsaraMQ for Kafka allows you to grant permissions on the following types of resources to a SASL user: Topic: topic Group: consumer group Cluster: cluster TransactionalId: transaction
Match Mode	The mode that is used to match resources. ApsaraMQ for Kafka supports the following match modes: Exact Match: In this mode, only the resource with the same name is matched. Prefix Match: In this mode, resources whose names start with the specified prefix are matched.
Resource Name	The name of the topic, group, or instance, or the ID of the transaction. This parameter specifies the resources on which you want to grant the permissions. ApsaraMQ for Kafka supports the use of asterisk () as wildcard characters. You can use an asterisk () to specify all resource names.
Action Type	The type of permissions that you want to grant. ApsaraMQ for Kafka supports the following types of permissions: Write Read Idempotent Write Operations Important If you set the Resource Type parameter to Group, set this parameter to Read. If you set the Resource Type parameter to Cluster, set this parameter to Idempotent Write Operations.

After you grant the required permissions to the SASL user, you can query the permissions. To do so, go to the Manage SASL User Permissions tab and configure the Resource Type, Match Mode, Resource Name, and Username parameters. Then, click Search.
After you grant the required permissions to the SASL user, the user can connect to ApsaraMQ for Kafka by using the SASL endpoint and consume messages by using the PLAIN mechanism.

Related operations

For information about how to use an SDK to connect to ApsaraMQ for Kafka, see Overview.
For information about how to grant permissions to a SASL user by calling API operations, see CreateSaslUser and CreateAcl.
For information about SASL endpoints, see Comparison among endpoints.