- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Topic APIs
- ModifyTopicAttributes
- DescribeTopicDetail
- DescribeTopicAttributes
- DescribeTopic
- DeleteTopicIpWhiteList
- DeleteTopic
- CreateTopicIpWhiteList
- CreateTopic
- CreatePartition
- FetchMessageListByOffset
- FetchMessageByOffset
- DescribeTopicSubscribeGroup
- BatchModifyTopicAttributes
- BatchModifyGroupOffsets
- DescribeTopicSyncReplica
- ACL APIs
- Route APIs
- Datahub APIs
- Other APIs
- Data Types
- Error Codes
- SDK Documentation
- General References
- FAQs
- Service Level Agreement (New Version)
- Glossary
- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practices
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Topic APIs
- ModifyTopicAttributes
- DescribeTopicDetail
- DescribeTopicAttributes
- DescribeTopic
- DeleteTopicIpWhiteList
- DeleteTopic
- CreateTopicIpWhiteList
- CreateTopic
- CreatePartition
- FetchMessageListByOffset
- FetchMessageByOffset
- DescribeTopicSubscribeGroup
- BatchModifyTopicAttributes
- BatchModifyGroupOffsets
- DescribeTopicSyncReplica
- ACL APIs
- Route APIs
- Datahub APIs
- Other APIs
- Data Types
- Error Codes
- SDK Documentation
- General References
- FAQs
- Service Level Agreement (New Version)
- Glossary
Overview
This document describes how to configure SASL authentication and ACL (access control list) rules in the CKafka console to enhance access control in public/private network transfers and permission control in production and consumption of resources such as topics.
Note:
- Kafka offers various security authentication mechanisms, which mainly include SSL and SASL. SASL/PLAIN is an authentication method based on account and password and is more commonly used. CKafka supports SASL_PLAINTEXT authentication (for more information, please see Adding Routing Policy).
- An ACL helps you define a set of permission rules to allow/deny users to read/write topic resources through IPs.
Directions
Configuring ACL policy
- Log in to the CKafka console.
- On the topbar, select a region and click the ID/Name of the target instance.
- On the instance details page, click the User Management tab at the top.
- On the user management page, click Create and enter the username and password to create a user.
- Click ACL Policy Management at the top.
- On the ACL policy details page, click Batch Configuration to grant permissions to the user.
Note:
- If allow rules are configured only, any IPs other than those configured with allow rules cannot connect to the instance.
- If deny rules are configured only, any IPs other than those configured with deny rules can connect to the instance.
- If allow and deny rules are simultaneously configured, only IPs with allow rules can connect to the instance.
You can grant permissions to the user through Topics or Topic name prefix.
- Topics: select multiple topics that need to be configured with the same ACL policy. The "Topics" mode only supports configuring one policy.
- Topic name prefix: fuzzy match topics that need to be configured with the same ACL policy by topic name prefix. You need to specify the fuzzy matching rule name. After this is set, when a new topic whose name contains the specified prefix is added, the system will automatically configure the specified ACL policy for it.
Note
- Up to five fuzzy match rules can be set.
- You can enter multiple IPs or IP ranges and separate them by
;.
Use limits
Enabling routing only affects the authentication method during access, while the set ACL policy takes effect globally.
If you use the PLAINTEXT method to access CKafka while enabling public network access routing, the ACL previously set for the topics will still take effect. If you want PLAINTEXT access to be unaffected, please add the read/write permissions of all users for the topics that PLAINTEXT needs to access.
Note:When adding an ACL policy, you don't need to select any user, and read/write permissions are added to all users by default.
The effect after addition is as follows:
If a topic is already being used by another Tencent Cloud service (e.g., log shipping in CLS, message dump in SCF, and component consumption in EMR), enabling ACL policy is equivalent to imposing restrictions on the permissions of these linked capabilities, and they will directly become unavailable. Therefore, please be sure to do so with caution. In such cases, we recommend you produce the same data to another topic for separate processing instead of configuring a unified ACL policy on the same topic.
Viewing fuzzy match rule
- On the ACL policy management page, select Fuzzy Match Rule.
- In the fuzzy match rule list, click Details in the Operation column to view the details of a rule.
Deleting fuzzy match rule
- On the ACL policy management page, select Fuzzy Match Rule.
- In the fuzzy match rule list, click Delete in the Operation column to delete a rule.
Subsequent Operations
After the authorization is completed, you can access CKafka through the SASL access point and consume messages by using the PLAIN mechanism as instructed in the SDK documentation.
Yes
No
Was this page helpful?