ACL Operations
This page covers the operational aspects of working with ACLs in Confluent Cloud, including resource types, operations, and implementation details.
ACL resources and operations for Confluent Cloud (summary)
The ACL resources and operations listed below are available in Confluent Cloud for controlling access to Kafka resources. Each operation can be granted with ALLOW or DENY permissions.
Resource | Operation |
|---|---|
Cluster | CREATE (allows creating topics) DESCRIBE: DescribeConfigs, DescribeCluster, other meta-data IDEMPOTENT_WRITE: for producers in Idempotent mode, InitProducerId(idempotent): To initialize the producer ALTER (CreateAcls, DeleteAcls) |
Consumer Groups | DELETE DESCRIBE READ |
Topic | ALTER ALTER_CONFIGS CREATE DELETE DESCRIBE (for example, number of partitions) DESCRIBE_CONFIGS READ WRITE |
TransactionalID | DESCRIBE WRITE |
Note
All operations listed above support both ALLOW and DENY permissions. DENY permissions take precedence over ALLOW permissions and RBAC role bindings.
ACL operation details
Create ACL
Supports both Resource ID (resourceId) and the Integer ID (userIntegerId) as principal.
Example:
Resource ID (
resourceId):User:sa-1234Integer ID (
userIntegerId):User:1234
Describe ACL
When describing ACLs, the principal format you use affects which ACLs are returned:
Principal format used | ACLs returned for | Return format |
|---|---|---|
Integer ID: | Both Integer and Resource ID formats | Integer ID format |
Resource ID: | Both Integer and Resource ID formats | Resource ID format |
None (list all) | All ACLs | Integer ID format |
Resource ID: | All ACLs | Resource ID format |
Delete ACL
When deleting ACLs, the principal format you use affects which ACLs are deleted:
Principal format used | ACLs deleted for | Return format |
|---|---|---|
Integer ID: | Both Integer and Resource ID formats | Integer ID format |
Resource ID: | Both Integer and Resource ID formats | Resource ID format |
None (delete all) | All ACLs | Integer ID format |
Resource ID: | All ACLs | Resource ID format |
Important
If you delete a user, and have ACLs created using both formats (Integer ID and Resource ID), then you must delete ACLs for both the Integer ID and Resource ID formats.
Cluster linking
If you use cluster linking to replicate data between two Confluent Cloud Kafka clusters, the same principal must be used for both clusters, but your ACLs can include either the Resource ID or Integer ID to specify your resources.
For example, if you are using cluster linking to migrate data between two Confluent Cloud clusters, you could have ACLs that use the deprecated Integer ID format on the source cluster and the Resource ID format for ACLs on the destination cluster.
For details, see ACL syncing. For more information about cluster linking security considerations, see Manage Security for Cluster Linking on Confluent Cloud.