tencent cloud

Overview

This document describes how to configure SASL authentication and ACL (access control list) rules in the CKafka console to enhance access control in public/private network transfers and permission control in production and consumption of resources such as topics.

Note：

• Kafka offers various security authentication mechanisms, which mainly include SSL and SASL. SASL/PLAIN is an authentication method based on account and password and is more commonly used. CKafka supports SASL_PLAINTEXT authentication (for more information, see Adding Routing Policy).
• An ACL helps you define a set of permission rules to allow/deny users to read/write topic resources through IPs.

Directions

Configuring ACL policy

1. Log in to the CKafka console.
2. On the topbar, select a region and click the ID/Name of the target instance.
3. On the instance details page, click the User Management tab at the top.
4. On the user management page, click Create and enter the username and password to create a user.
5. Click ACL Policy Management at the top.
6. On the ACL policy details page, click Batch Set to grant permissions to the user.

   Note：

   • If allow rules are configured only, any IPs other than those configured with allow rules cannot connect to the instance.
   • If deny rules are configured only, any IPs other than those configured with deny rules can connect to the instance.
   • If allow and deny rules are simultaneously configured, only IPs with allow rules can connect to the instance.

   • Instances on v2.4.1 or above
   • Instances on other versions

   You can grant permissions to the user through Topics, Topic name prefix, or Preset rules.
   

   Note

   You can enter multiple IPs or IP ranges and separate them by ; when configuring the ACL policy. If the IP is empty, the permission will be added for all IPs by default.

   • Topics: select multiple topics that need to be configured with the same ACL policy.
   • Topic name prefix: fuzzy match topics that need to be configured with the same ACL policy by topic name prefix. You need to specify the fuzzy matching rule name. After this is set, when a new topic whose name contains the specified prefix is added, the system will automatically configure the specified ACL policy for it.
     

     Note

     Up to five fuzzy matching rules can be set.

   • Preset rules: a set of rules can be preset and automatically applied during subsequent topic creation.
     

     Note

     Up to five preset rules can be set.

   You can grant permissions to the user through Topics or Preset rules.

   Note

   You can enter multiple IPs or IP ranges and separate them by ;. If the IP is empty, the permission will be added for all IPs by default.

   • Topics: select multiple topics that need to be configured with the same ACL policy.
   • Preset rules: a set of rules can be preset and automatically applied during subsequent topic creation.
     

     Note

     Up to five preset rules can be set.

   Subsequent handling: after the authorization is completed, you can access CKafka through the SASL access point and consume messages by using the PLAIN mechanism as instructed in the SDK documentation.

Use limits

1. Enabling routing only affects the authentication method during access, while the set ACL policy takes effect globally.
2. If you use the PLAINTEXT method to access CKafka while enabling public network access routing, the ACL previously set for the topics will still take effect. If you want PLAINTEXT access to be unaffected, add the read/write permissions of all users for the topics that PLAINTEXT needs to access.

   Note

   When adding an ACL policy, you don't need to select any user, and read/write permissions are added to all users by default.

3. If a topic is already being used by another Tencent Cloud service (e.g., log shipping in CLS, message dump in SCF, and component consumption in EMR), enabling ACL policy is equivalent to imposing restrictions on the permissions of these linked capabilities, and they will directly become unavailable. Therefore, be sure to do so with caution. In such cases, we recommend you produce the same data to another topic for separate processing instead of configuring a unified ACL policy on the same topic.

Viewing preset rule

1. On the ACL policy management page, select Preset Rule.
2. In the preset rule list, click Details in the Operation column to view the details of a rule.

Deleting preset rule

1. On the ACL policy management page, select Preset Rule.
2. In the preset rule list, click Delete in the Operation column to delete a rule.
   The impact of deleting the preset rule varies by the type of rule match:
   • If the rule is a fuzzy match rule, it will no longer be automatically applied to new topics or take effect for topics to which it is already applied.
   • If the rule is not a fuzzy match rule, it will no longer be automatically applied to new topics but will still take effect for topics to which it is already applied.