If you want to grant different permissions to different users or user groups, you can use the access control list (ACL) feature provided by ApsaraMQ for Kafka Professional Edition instances. The feature allows you to grant permissions on resources such as topics and groups to Simple Authentication and Security Layer (SASL) users to implement fine-grained permission management.
Background information
Enterprise A purchased ApsaraMQ for Kafka and wants User A to only consume messages from all ApsaraMQ for Kafka topics.
Usage notes
An ApsaraMQ for Kafka instance of the Internet- and virtual private cloud (VPC)- connected type provides a default SASL user. The default SASL user is granted the read and write permissions on all topics and groups on the instance. If you want to implement fine-grained permission control, you must enable ACL, create a SASL user, and then grant the SASL user the permissions to send and receive messages in ApsaraMQ for Kafka based on your business requirements. After you enable ACL, the permissions granted to the default SASL user become invalid.
After you enable ACL, a topic is not automatically created if you send a message to your ApsaraMQ for Kafka instance without specifying a topic.
Prerequisites
Make sure that your ApsaraMQ for Kafka instance meets the following requirements:
The edition of the instance is Professional Edition.
The instance is in the Running state.
The major version of the instance is 2.2.0 or later. For information about how to upgrade the major version, see Upgrade instance versions.
The minor version of the instance is the latest. For information about how to update the minor version, see Upgrade instance versions.
Step 1: Enable ACL
After you update the minor version of the instance, enable ACL for the instance in the ApsaraMQ for Kafka console.
Log on to the ApsaraMQ for Kafka console.
In the Resource Distribution section of the Overview page, select the region where the ApsaraMQ for Kafka instance that you want to manage resides.
On the Instances page, click the name of the instance that you want to manage.
On the Instance Details page, click Enable ACL in the upper-right corner of the Overview section.
In the Note message, click OK. Then, refresh the Instance Details page.
After you refresh the Instance Details page, the value of the Status parameter in the Basic Information section is displayed as Upgrading. When the value of the Status parameter becomes Running, ACL is enabled.
ImportantYou can enable ACL only after the minor version of the instance is updated. Then, you can create a SASL user and grant the user the required permissions. This way, you can use the SASL user to connect to the ApsaraMQ for Kafka instance by using the SASL endpoint. The upgrade may require 15 to 20 minutes to complete.
Step 2: Create a SASL user
After you enable ACL for the instance, create a SASL user for User A.
Log on to the ApsaraMQ for Kafka console.
In the Resource Distribution section of the Overview page, select the region where the ApsaraMQ for Kafka instance that you want to manage resides.
On the Instances page, select the instance for which ACL is enabled.
On the Instance Details page, click the Manage SASL Users tab.
On the Manage SASL Users tab, click Create SASL User.
In the Create SASL User panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Username
The name of the SASL user.
User Type
ApsaraMQ for Kafka supports the following SASL mechanisms:
PLAIN: a simple mechanism that uses usernames and passwords to verify user identities. ApsaraMQ for Kafka provides an optimized PLAIN mechanism that allows you to dynamically create SASL users for an instance without the need to restart the instance.
SCRAM: a mechanism that uses usernames and passwords to verify user identities. Compared with the PLAIN mechanism, this mechanism provides better security protection. ApsaraMQ for Kafka uses the SCRAM-SHA-256 algorithm to encrypt connections.
Password
The password of the SASL user.
Confirm Password
Enter the password of the SASL again to confirm the password.
The SASL user that you created is displayed on the Manage SASL Users tab.
If you want to change the password of the SASL user, click Change Password in the Actions column. In the Change Password of SASL User panel, configure the New Password and Confirm Password parameters. Click OK.
If you want to delete the SASL user, click Delete in the Actions column.
Step 3: Grant permissions to the SASL user
After you create a SASL user for User A, grant the SASL user the permissions to read messages from topics and consumer groups.
On the Instance Details page, click the Manage SASL User Permissions tab.
On the Manage SASL User Permissions tab, click Grant Permission.
In the Grant Permission panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Username
The name of the SASL user. ApsaraMQ for Kafka supports the use of asterisks (*) as wildcard characters. You can use an asterisk (*) to specify all usernames.
Resource Type
The resource type. ApsaraMQ for Kafka allows you to grant permissions on the following types of resources to a SASL user:
Topic: topic
Group: consumer group
Cluster: cluster
TransactionalId: transaction ID
Match Mode
The mode that is used to match resources. ApsaraMQ for Kafka supports the following match modes:
Exact Match: In this mode, only the resource with the same name is matched.
Prefix Match: In this mode, resources whose names start with the specified prefix are matched.
Resource Name
The name of the topic, group, or instance, or the ID of the transaction. This parameter specifies the resources on which you want to grant the permissions. ApsaraMQ for Kafka supports the use of asterisks (*) as wildcard characters. You can use an asterisk (*) to specify all resource names.
Operation Type
The type of permissions that you want to grant. ApsaraMQ for Kafka supports the following types of permissions:
Write
Read
Idempotent Write Operation
ImportantIf you set the Resource Type parameter to Group, set this parameter to Read.
If you set the Resource Type parameter to Cluster, set this parameter to Idempotent Write Operation.
After you grant the required permissions to the SASL user, you can query the permissions. To query the permissions, go to the Manage SASL User Permissions tab and configure the Resource Type, Match Mode, Resource Name, and Username parameters. Then, click Search.
Related operations
After you grant permissions to the SASL user, User A can use the SASL endpoint to access the ApsaraMQ for Kafka instance and use the PLAIN mechanism to consume messages. For information about how to use SDKs to connect to ApsaraMQ for Kafka, see Overview.
For information about how to grant permissions to a SASL user by calling API operations, see CreateSaslUser and CreateAcl.
For information about SASL endpoints, see Comparison among endpoints.