.. _c3-auth-acls:

Configure |c3-short| to work with |ak| ACLs 
===========================================

Before attempting to create and use Access Control Lists (ACLs), you should familiarize yourself with :ref:`acl-concepts`. 
Doing so can help you avoid common pitfalls that can occur when creating and using 
ACLs to manage access to components and cluster data.

Standard |ak-tm| authorization and encryption options are available for
:ref:`control center <kafka_encryption_authentication_authorization_settings>` 
and :ref:`interceptors <interceptor_configuration_options>`.

.. note::

   Only export ``PRINCIPAL`` if you have already defined the JAAS properties or 
   user certificates. Also, you must create the |ak| ACLs before starting |c3-short|. 
   You must then configure |c3-short| to authenticate to |ak| as the principal 
   that is specified for the ACL.
   
Use the following script to create the ACLs that are required by |c3-short| 
to operate on an authorized cluster. The script creates ACLs on specific topics 
and consumer groups, and grants permission to the user identified here as the principal. 
You must run this script before you start |c3-short|:   

.. sourcecode:: bash

       export PRINCIPAL=User:username
       export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=<path-to-kafka-jaas.conf>"
       control-center-set-acls config/control-center.properties 
       
.. important::

   The principal specified above is the |ak| user, the same as specified in 
   :ref:`Kafka Broker <controlcenter_sasl_broker>`. 

For each |ak| topic that |c3| creates, ACLs are created to grant the specified principal 
the following privileges:  

- CREATE 
- WRITE 
- DESCRIBE 
- DESCRIBE_CONFIGS
- READ

The following ACLs are created to grant the specified principal privileges for the
consumer group related to the |c3| Streams application:

- READ

ACLs granting the following privileges are also created for the cluster:

- DESCRIBE 
- DESCRIBE_CONFIGS                   

You must export a |c3-short| JAAS configuration before starting |c3-short|. 

.. sourcecode:: bash

       export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=<path-to-c3-jaas.conf>'
       control-center-start config/control-center.properties  

.. _c3-delete-acls:

Deleting |c3-short| ACLs  
------------------------

There may be instances where you execute ``control-center-set-acls`` with the wrong
|c3-short| principal. To revert this action, run the script again using the 
``--delete`` option. This deletes |c3-short| ACLs only for the same topics 
and consumer groups in which the principal was originally specified.  

To delete a |c3-short| ACL:

.. sourcecode:: bash

   export PRINCIPAL=User:username
   export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=/path/to/<path-to-kafka-jaas.conf>"
   control-center-set-acls config/control-center.properties --delete