Message Queue for Apache Kafka Professional Edition instances provide the access control list (ACL) feature. You can use this feature to authorize Simple Authentication and Security Layer (SASL) users to send and receive messages in Message Queue for Apache Kafka.

Background information

Enterprise A purchased a Message Queue for Apache Kafka instance. The enterprise wants to allow User A to only consume messages from all topics of the Message Queue for Apache Kafka instance. The enterprise does not want to allow User A to send messages to all topics of the Message Queue for Apache Kafka instance.

Precautions

  • The default SASL user of a Message Queue for Apache Kafka instance is used for identity verification. The default SASL user is granted the permissions to read data from and write data to all topics and consumer groups that are created in the instance. If you want to implement fine-grained permission control, you must enable the ACL feature, create an SASL user, and then grant the SASL user the permissions on the resources of your Message Queue for Apache Kafka instance based on your business requirements. After you enable the ACL feature, the permissions granted to the default SASL user become invalid.
  • When the ACL feature is enabled, a topic is not automatically created if you send a message to your Message Queue for Apache Kafka instance without specifying a topic.

Prerequisites

Your Message Queue for Apache Kafka instance must meet the following conditions:

Step 1: Enable the ACL feature

After you update the minor version of your instance, enable the ACL feature for the instance in the Message Queue for Apache Kafka console.

  1. Log on to the Message Queue for Apache Kafka console.
  2. In the Resource Distribution section of the Overview page, select the region where your instance is deployed.
  3. On the Instances page, click the name of the instance that you want to manage.
  4. On the Instance Details page, click Enable ACL in the upper-right corner of the Overview section.
  5. In the Note message, click OK. Then, refresh the Instance Details page.
    After you refresh the Instance Details page, the value of the Status parameter in the Basic Information section is displayed as Upgrading. When the value of the Status parameter becomes Running, the ACL feature is enabled.
    Important You can enable the ACL feature only after the minor version of the instance is updated. Then, you can create an SASL user and grant the user the required permissions. This way, you can use the SASL user to connect to the instance by using the SASL endpoint. The update may require 15 to 20 minutes.

Step 2: Create an SASL user

After you enable the ACL feature for the instance, create an SASL user for User A.

  1. Log on to the Message Queue for Apache Kafka console.
  2. In the Resource Distribution section of the Overview page, select the region where your instance is deployed.
  3. On the Instances page, click the name of the instance for which the ACL feature is enabled.
  4. On the Instance Details page, click the Manage SASL Users tab.
  5. On the Manage SASL Users tab, click Create SASL User.
  6. In the Create SASL User panel, configure the parameters that are described in the following table. Then, click OK.
    pg_create_sasl_user
    Parameter Description
    Username The name of the SASL user.
    User Type Message Queue for Apache Kafka supports the following SASL mechanisms:
    • PLAIN: a simple mechanism that uses usernames and passwords to verify user identities. Message Queue for Apache Kafka provides an improved PLAIN mechanism that allows you to dynamically create SASL users without the need to restart the instance.
    • SCRAM: a mechanism that uses usernames and passwords to verify user identities. This mechanism provides greater security protection than the PLAIN mechanism. Message Queue for Apache Kafka uses SCRAM-SHA-256.
    Password The password of the SASL user.
    Confirm Password Enter the password again to confirm the password.
    The SASL user that you created is displayed on the Manage SASL Users tab.
    • To change the password of the SASL user, click Change Password in the Actions column. In the Change Password of SASL User panel, configure the New Password and Confirm Password parameters. Click OK.
    • To delete the SASL user, click Delete in the Actions column.

Step 3: Grant permissions to the SASL user

After you create an SASL user for User A, grant the SASL user the permissions to read messages from topics and consumer groups.

  1. On the Instance Details page, click the Manage SASL User Permissions tab.
  2. On the Manage SASL User Permissions tab, click Grant Permission.
  3. In the Grant Permission panel, configure the parameters that are described in the following table. Then, click OK.
    pg_read_from_Topic
    Parameter Description
    Username The name of the SASL user. Message Queue for Apache Kafka supports asterisks (*). You can use an asterisk (*) to specify all usernames.
    Resource Type The type of resource. Message Queue for Apache Kafka allows you to grant permissions on the following types of resources to an SASL user:
    • Topic: specifies topics.
    • Group: specifies consumer groups.
    • Cluster: specifies instances.
    • TransactionalId: specifies transactions.
    Matching Mode The mode that is used to match resources. Message Queue for Apache Kafka supports the following matching modes:
    • Exact Match: specifies to match the resource that uses the specified full name.
    • Prefix Match: specifies to match resources whose names start with the specified prefix.
    Resource Name The name of the topic, group, or instance, or the ID of the transaction. This parameter specifies the resources on which you want to grant the permissions. Message Queue for Apache Kafka supports asterisks (*). You can use an asterisk (*) to specify all resources.
    Action Type The type of permissions that you want to grant. Message Queue for Apache Kafka supports the following permission types:
    • Write
    • Read
    • Idempotent Write Operations
    Important
    • If you set the Resource Type parameter to Group, set this parameter to Read.
    • If you set the Resource Type parameter to Cluster, set this parameter to Idempotent Write Operations.
    After you grant permissions to the SASL user, you can query the permissions. On the Manage SASL User Permissions tab, configure the Resource Type, Matching Mode, Resource Name, or Username parameter, and then click Search.

What to do next

After you grant the required permissions to the SASL user, User A can connect to Message Queue for Apache Kafka by using the SASL endpoint and use the PLAIN mechanism to consume messages. For information about how to use an SDK to connect to Message Queue for Apache Kafka, see Overview.