All Products
Search
Document Center

ApsaraMQ for Kafka:Use the ACL feature for access control

Last Updated:Dec 12, 2024

If you want to grant different permissions to different users or user groups, you can use the access control list (ACL) feature provided by ApsaraMQ for Kafka Professional Edition and Serverless Edition instances. The feature allows you to grant permissions on resources such as topics and groups to Simple Authentication and Security Layer (SASL) users to implement fine-grained permission management.

Background information

Enterprise A purchased ApsaraMQ for Kafka and wants User A to only consume messages from all ApsaraMQ for Kafka topics.

Usage notes

  • An ApsaraMQ for Kafka instance of the Internet- and virtual private cloud (VPC)- connected type provides a default SASL user. The default SASL user is granted the read and write permissions on all topics and groups on the instance. If you want to implement fine-grained permission control, you must enable ACL, create a SASL user, and then grant the SASL user the permissions to send and receive messages in ApsaraMQ for Kafka based on your business requirements. After you enable ACL, the permissions granted to the default SASL user become invalid.

  • After you enable ACL, a topic is not automatically created if you send a message to your ApsaraMQ for Kafka instance without specifying a topic.

Prerequisites

Make sure that your ApsaraMQ for Kafka instance meets the following requirements:

  • The edition of the instance must be Professional Edition or Serverless Edition.

  • The instance is in the Running state.

  • The major version of the instance is 2.2.0 or later. For information about how to upgrade the major version, see the "Upgrade the version of an instance" section of the Upgrade instance versions topic.

  • The minor version of the instance is the latest. For information about how to update the minor version, see Upgrade instance versions.

Step 1: Enable ACL

After you update the minor version of the instance, enable ACL for the instance in the ApsaraMQ for Kafka console.

  1. Log on to the ApsaraMQ for Kafka console.

  2. In the Resource Distribution section of the Overview page, select the region where the ApsaraMQ for Kafka instance that you want to manage resides.

  3. On the Instances page, click the name of the instance that you want to manage.

  4. On the Instance Details page, click Enable ACL in the upper-right corner of the Overview section.

  5. In the Note message, click OK. Then, refresh the Instance Details page.

    After you refresh the Instance Details page, the value of the Status parameter in the Basic Information section is displayed as Upgrading. When the value of the Status parameter becomes Running, ACL is enabled.

    Important

    You can enable ACL for an ApsaraMQ for Kafka instance only after the version of the instance is upgraded. Then, you can create a SASL user and grant the user the required permissions. This way, you can use the SASL user to connect to the ApsaraMQ for Kafka instance by using the SASL endpoint. The version upgrade takes about 15 to 20 minutes.

Step 2: Create a SASL user

After you enable ACL for the instance, create a SASL user for User A.

  1. Log on to the ApsaraMQ for Kafka console.

  2. In the Resource Distribution section of the Overview page, select the region where the ApsaraMQ for Kafka instance that you want to manage resides.

  3. On the Instances page, select the instance for which ACL is enabled.

  4. On the Instance Details page, click the Manage SASL Users tab. For serverless instances, choose Permissions > Manage SASL Users in the left-side pane on the Instance Details page.

  5. On the Manage SASL Users tab, click Create SASL User.

  6. In the Create SASL User panel, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Username

    The name of the SASL user.

    User Type

    ApsaraMQ for Kafka supports the following SASL mechanisms:

    • PLAIN: a simple mechanism that uses usernames and passwords to verify user identities. ApsaraMQ for Kafka provides an optimized PLAIN mechanism that allows you to dynamically create SASL users for an instance without the need to restart the instance.

    • SCRAM: a mechanism that uses usernames and passwords to verify user identities. Compared with the PLAIN mechanism, this mechanism provides better security protection. Non-serverless ApsaraMQ for Kafka instances use the SCRAM-SHA-256 algorithm to encrypt connections. By default, serverless instances use the SCRAM-SHA-512 algorithm to encrypt connections.

    Password

    The password of the SASL user.

    Confirm Password

    Enter the password of the SASL again to confirm the password.

    The SASL user that you created is displayed on the Manage SASL Users tab.

    • If you want to change the password of the SASL user, click Change Password in the Actions column. In the Change Password of SASL User panel, configure the New Password and Confirm Password parameters. Click OK.

    • If you want to delete the SASL user, click Delete in the Actions column.

Step 3: Grant permissions to the SASL user

After you create a SASL user for User A, grant the SASL user the permissions to read messages from topics and consumer groups.

  1. On the Instance Details page, click the Manage SASL User Permissions tab.

  2. On the Manage SASL User Permissions tab, click Grant Permission.

  3. In the Grant Permission panel, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Username

    The name of the SASL user. ApsaraMQ for Kafka supports the use of asterisks (*) as wildcard characters. You can use an asterisk (*) to specify all usernames.

    Resource Type

    The resource type. ApsaraMQ for Kafka allows you to grant permissions on the following types of resources to a SASL user:

    • Topic: topic

    • Group: consumer group

    • Cluster: instance

    • TransactionalId: transaction ID

    Match Mode

    The mode that is used to match resources. ApsaraMQ for Kafka supports the following match modes:

    • Exact Match: In this mode, only the resource with the same name is matched.

    • Prefix Match: In this mode, resources whose names start with the specified prefix are matched.

    Resource Name

    The name of the topic, group, or instance, or the ID of the transaction. This parameter specifies the resources on which you want to grant the permissions. ApsaraMQ for Kafka supports the use of asterisks (*) as wildcard characters. You can use an asterisk (*) to specify all resource names.

    Operation Type

    The type of permissions that you want to grant. ApsaraMQ for Kafka supports the following types of permissions:

    • Write

    • Read

    • Idempotent Write Operation

    Important
    • If you set the Resource Type parameter to Group, set this parameter to Read.

    • If you set the Resource Type parameter to Cluster, set this parameter to Idempotent Write Operation.

    Serverless instances

    Parameter

    Description

    Username

    The name of the SASL user. ApsaraMQ for Kafka supports the use of asterisks (*) as wildcard characters. You can use an asterisk (*) to specify all usernames.

    Resource Type

    The resource type. ApsaraMQ for Kafka allows you to grant permissions on the following types of resources to a SASL user:

    • Topic: topic

    • Group: consumer group

    • Cluster: instance

    • TransactionalId: transaction ID

    Match Mode

    The mode that is used to match resources. ApsaraMQ for Kafka supports the following match modes:

    • Exact Match: In this mode, only the resource with the same name is matched.

    • Prefix Match: In this mode, resources whose names start with the specified prefix are matched.

    Resource Name

    The name of the topic, group, or instance, or the ID of the transaction. This parameter specifies the resources on which you want to grant the permissions. ApsaraMQ for Kafka supports the use of asterisks (*) as wildcard characters. You can use an asterisk (*) to specify all resource names.

    Source IP address

    You can block or allow access from specific IP addresses.

    Authorization Method

    • ALLOW

    • DENY

    Operation Type

    The type of permissions that you want to grant. ApsaraMQ for Kafka supports the following types of permissions:

    • WRITE: write

    • READ: read

    • CREATE: create

    • DELETE: delete

    • DESCRIBE: view the metadata and offset information

    • DESCRIBE_CONFIGS: view the configuration information

    • IDEMPOTENT_WRITE: idempotent write

    Important
    • By default, the idempotent write feature is enabled for the client whose version is 3.0 or later. You must set the enable.idempotence parameter to true and add the IDEMPOTENT_WRITE permission to send messages.

    • By default, if you grant the WRITE, READ, DELETE, or CREATE permission to a SASL user, the SASL user is also granted the DESCRIBE permission.

    • If you set the Resource Type parameter to Cluster, set this parameter to IDEMPOTENT_WRITE.

    After you grant the required permissions to the SASL user, you can query the permissions. To query the permissions, go to the Manage SASL User Permissions tab and configure the Resource Type, Match Mode, Resource Name, and Username parameters. Then, click Search.

Related operations

  • After you grant permissions to the SASL user, User A can use the SASL endpoint to access the ApsaraMQ for Kafka instance and use the PLAIN mechanism to consume messages. For information about how to use SDKs to connect to ApsaraMQ for Kafka, see Overview.

  • For information about how to grant permissions to a SASL user by calling API operations, see CreateSaslUser and CreateAcl.

  • For information about SASL endpoints, see Comparison among endpoints.