This document describes how to configure SASL authentication and ACL (access control list) rules in the CKafka console to enhance access control in public/private network transfers and permission control in production and consumption of resources such as topics.
- Kafka offers various security authentication mechanisms, which mainly include SSL and SASL. SASL/PLAIN is an authentication method based on account and password and is more commonly used. CKafka supports SASL_PLAINTEXT authentication (for more information, please see Adding Routing Policy).
- An ACL helps you define a set of permission rules to allow/deny users to read/write topic resources through IPs.
Log in to the CKafka console.
On the topbar, select a region and click the ID/Name of the target instance.
On the instance details page, click the User Management tab at the top.
On the user management page, click Create and enter the username and password to create a user.
Click ACL Policy Management at the top.
On the ACL policy details page, click Batch Configuration to grant permissions to the user.
- If allow rules are configured only, any IPs other than those configured with allow rules cannot connect to the instance.
- If deny rules are configured only, any IPs other than those configured with deny rules can connect to the instance.
- If allow and deny rules are simultaneously configured, only IPs with allow rules can connect to the instance.
You can grant permissions to the user through Topics or Topic name prefix.
Up to five fuzzy matching rules can be set.
You can grant permissions to the user through Topics.
Select multiple topics that need to be configured with the same ACL policy. The “Topics” mode only supports configuring one policy.
- Enabling routing only affects the authentication method during access, while the set ACL policy takes effect globally.
- If you use the PLAINTEXT method to access Kafka while enabling public network access routing, the ACL previously set for the topics will still take effect.
If you want PLAINTEXT access to be unaffected, please add the read/write permissions of all users for the topics that PLAINTEXT needs to access.
- If a topic is already being used by another Tencent Cloud service (e.g., log shipping in CLS, message dump in SCF, and component consumption in EMR), enabling ACL policy is equivalent to imposing restrictions on the permissions of these linked capabilities, and they will directly become unavailable. Therefore, please be sure to do so with caution. In such cases, we recommend you produce the same data to another topic for separate processing instead of configuring a unified ACL policy on the same topic.
After the authorization is completed, the user can access CKafka through the SASL access point and consume messages by using the PLAIN mechanism. For details, see SDK Documentation.