Use Access Control Lists (ACLs) on Confluent Cloud¶
Access control lists (ACLs) provide secure access to your Confluent Cloud Apache Kafka® resources and data. A principal has permissions only for the Confluent Cloud resources granted to them.
Important
Confluent Cloud ACLs are similar to Kafka ACLs. Before attempting to create and use ACLs, you should familiarize yourself with ACL concepts. Doing so can help you avoid common pitfalls that can occur when creating and using ACLs to manage access to components and cluster data.
The operations available to a principal depend on which resources they have permission to access. When defining an ACL, carefully consider which resources your principals have access to and the operations they can perform. Depending on the data and resources that specific principals need access to, you might need to define more than one ACL to meet your requirements.
Important
When a principal is deleted, the associated ACLs are not cleaned up automatically. Your administrator should ensure that the ACLs associated with the principal are deleted.
ACL resources and operations for Confluent Cloud (summary)¶
The ACL resources and operations listed below are a subset of the Kafka ACL resources and operations for Confluent Platform.
| Resource | Operation |
|---|---|
| Cluster | Create (allows creating topics)
Describe: DescribeConfigs, DescribeCluster, other meta-data
IdempotentWrite: for producers in Idempotent mode, InitProducerId(idempotent): To initialize the producer
Alter (CreateAcls, DeleteAcls)
|
| Consumer Groups | Delete
Describe
Read
|
| Topic | Alter
AlterConfigs
Create
Delete
Describe (for example, number of partitions)
DescribeConfigs
Read
Write
|
| TransactionalID | Describe
Write
|
ACL operation details¶
Create ACL¶
Supports both Resource ID (resourceId) and the Integer ID (userIntegerId) as principal.
Example:
- Resource ID (
resourceId):User:sa-1234 - Integer ID (
userIntegerId):User:1234
Describe ACL¶
| Describe ACL principal format | Describes ACLs for | Returns using this format |
|---|---|---|
Integer ID: User:1234 |
User:1234 and User:sa-1234 |
Integer ID |
Resource ID: User:sa-1234 |
User:1234 and User:sa-1234 |
Resource ID: User:sa-1234 |
| None | All | Integer ID: User:1234 |
Resource ID: UserV2:* |
All | Resource ID: User:sa-1234 |
Delete ACL¶
| ACL principal format | Deletes ACLs for | Returns using this format |
|---|---|---|
Integer ID: User:1234 |
User:1234 and User:sa-1234 |
Integer ID: User:1234 |
Resource ID: User:sa-1234 |
User:1234 and User:sa-1234 |
Resource ID: User:sa-1234 |
| None | All | Integer ID: User:1234 |
Resource ID: UserV2:* |
All | Resource ID: User:sa-1234 |
Important
If you delete a user, and have ACLs created using both formats (Integer ID and Resource ID), then you must delete ACLs for both the Integer ID and Resource ID formats.
Cluster Linking¶
If you use cluster linking to replicate data between two Confluent Cloud Kafka clusters, the same principal must be used for both clusters, but your ACLs can include either the Resource ID or Integer ID to specify your resources.
For example, if you are using cluster linking to migrate data between two Confluent Cloud clusters, you could have ACLs that use the deprecated Integer ID format on the source cluster and the Resource ID format for ACLs on the destination cluster.
For details, see ACL syncing.