• MapReduce Service

mrs
  1. Help Center
  2. MapReduce Service
  3. User Guide
  4. Using MRS
  5. Using Kafka
  6. Managing Kafka User Permission

Managing Kafka User Permission

Scenario

For clusters with Kerberos authentication enabled, using Kafka requires relevant permission. MRS clusters can grant the use permission of Kafka to different users.

Table 1 lists the default Kafka user groups.

Table 1 Default Kafka user groups

User Group

Description

kafkaadmin

Kafka administrator group. Users in this group have the permission to create, delete, read, and write all topics, and authorize other users.

kafkasuperuser

Kafka super user group. Users in this group have the permission to read and write all topics.

kafka

Kafka common user group. Users in this group must be authorized by the users in kafkaadmin to read and write certain topics.

Prerequisites

  • The client has been updated.
  • A user in the kafkaadmin group, for example admin, has been prepared.

Procedure

  1. On MRS Manager, choose Service > ZooKeeper > Instance. Query the IP addresses of the ZooKeeper instances.

    Record the IP address of any ZooKeeper instance.

  2. Log in to the node where the client is installed.

    For example, if you have updated the client on the Master2 node, log in to the Master2 node to use the client. For details, see Client Management.

  3. Run the following command to switch the user:

    sudo su - omm

  4. Run the following command to switch to the client directory, for example, /opt/client/Kafka/kafka/bin.

    cd /opt/client/Kafka/kafka/bin

  5. Run the following command to configure the environment variables:

    source /opt/client/bigdata_env

  6. Run the following command to authenticate the Kafka administrator account.

    kinit Administrator account

    For example, kinit admin

  7. Manage Kafka user permission using the following commands:

    • Query the permission list of a topic.

      sh kafka-acls.sh --authorizer-properties zookeeper.connect=IP address of the node where the ZooKeeper instance is located:24002/kafka --list --topic Topic name

    • Add producer permission to a user.

      sh kafka-acls.sh --authorizer-properties zookeeper.connect=IP address of the node where the ZooKeeper instance is located:24002/kafka --add --allow-principal User:Username --producer --topic Topic name

    • Remove producer permission of a user.

      sh kafka-acls.sh --authorizer-properties zookeeper.connect=IP address of the node where the ZooKeeper instance is located:24002/kafka --remove --allow-principal User:Username --producer --topic Topic name

    • Add consumer permission to a user.

      sh kafka-acls.sh --authorizer-properties zookeeper.connect=IP address of the node where the ZooKeeper instance is located:24002/kafka --add --allow-principal User:Username --consumer --topic Topic name --group Consumer group name

    • Remove consumer permission of a user.

      sh kafka-acls.sh --authorizer-properties zookeeper.connect=IP address of the node where the ZooKeeper instance is located:24002/kafka --remove --allow-principal User:Username --consumer --topic Topic name --group Consumer group name

    NOTE:

    You need to enter y twice to confirm the removal of permission.