ACL Authorization
Access Control Lists for resource authorization.
Overview
ACLs control:
- Who (principal) can perform
- What (operation) on
- Which (resource)
Configuration
{
"Surgewave": {
"Security": {
"AclEnabled": true,
"SuperUsers": ["User:admin"],
"DefaultAclAction": "Deny"
}
}
}
CLI Usage
List ACLs
surgewave acls list
surgewave acls list --principal User:alice
surgewave acls list --resource-type topic --resource my-topic
Add ACL
# Allow user to read from topic
surgewave acls add \
--principal User:alice \
--resource-type topic \
--resource my-topic \
--operation read \
--permission allow
# Allow user to produce to all topics
surgewave acls add \
--principal User:producer \
--resource-type topic \
--resource "*" \
--operation write \
--permission allow
# Allow consumer group access
surgewave acls add \
--principal User:consumer \
--resource-type group \
--resource my-group \
--operation read \
--permission allow
Remove ACL
surgewave acls remove \
--principal User:alice \
--resource-type topic \
--resource my-topic
Resource Types
| Type | Description |
|---|---|
topic |
Topic access |
group |
Consumer group |
cluster |
Cluster operations |
transactional-id |
Transaction access |
Operations
| Operation | Resources | Description |
|---|---|---|
read |
topic, group | Consume/fetch |
write |
topic | Produce |
create |
topic, group | Create new |
delete |
topic, group | Delete |
alter |
topic, group, cluster | Modify config |
describe |
all | View metadata |
all |
all | All operations |
Pattern Types
Literal
Exact match:
surgewave acls add \
--principal User:app \
--resource-type topic \
--resource orders \
--pattern-type literal \
--operation read
Prefixed
Prefix match:
surgewave acls add \
--principal User:app \
--resource-type topic \
--resource "app." \
--pattern-type prefixed \
--operation all
Matches: app.orders, app.events, app.logs
Common Patterns
Producer
# Write to specific topics
surgewave acls add --principal User:producer \
--resource-type topic --resource orders \
--operation write
# Idempotent producer
surgewave acls add --principal User:producer \
--resource-type cluster --resource kafka-cluster \
--operation idempotent-write
Consumer
# Read from topics
surgewave acls add --principal User:consumer \
--resource-type topic --resource orders \
--operation read
# Consumer group
surgewave acls add --principal User:consumer \
--resource-type group --resource order-processors \
--operation read
Admin
# Create topics
surgewave acls add --principal User:admin \
--resource-type cluster --resource kafka-cluster \
--operation create
# Alter configs
surgewave acls add --principal User:admin \
--resource-type cluster --resource kafka-cluster \
--operation alter
Transactional Producer
surgewave acls add --principal User:tx-producer \
--resource-type transactional-id --resource my-tx-id \
--operation write
Super Users
Super users bypass all ACL checks:
{
"Surgewave": {
"Security": {
"SuperUsers": ["User:admin", "User:root"]
}
}
}
API Access
Create ACLs
var entries = new List<AclEntry>
{
new()
{
ResourceType = AclResourceType.Topic,
ResourceName = "my-topic",
PatternType = AclPatternType.Literal,
Principal = "User:alice",
Host = "*",
Operation = AclOperation.Read,
Permission = AclPermission.Allow
}
};
await client.Admin.CreateAclsAsync(entries);
Describe ACLs
var result = await client.Admin.DescribeAclsAsync(
resourceType: AclResourceType.Topic,
resourceName: "my-topic");
Authorization Flow
Request arrives
↓
Is user super user? → Yes → Allow
↓ No
Find matching ACLs
↓
Any DENY ACL matches? → Yes → Deny
↓ No
Any ALLOW ACL matches? → Yes → Allow
↓ No
Default action (Deny)
Monitoring
| Metric | Description |
|---|---|
surgewave_acl_denials_total |
Denied requests |
surgewave_acl_checks_total |
ACL checks performed |
Best Practices
- Principle of least privilege - Grant minimum required
- Use prefixes - Group resources by application
- Super users sparingly - Only for admin tasks
- Audit regularly - Review ACL changes
- Deny by default - Explicit allows only
Next Steps
- Clustering - Multi-broker security
- Monitoring - Security metrics