confluent kafka acl create¶
Flags¶
--operations strings REQUIRED: A comma-separated list of ACL operations: (alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--principal string Principal for this operation, prefixed with "User:".
--service-account string The service account ID.
--allow Access to the resource is allowed.
--deny Access to the resource is denied.
--cluster-scope Modify ACLs for the cluster.
--topic string Modify ACLs for the specified topic resource.
--consumer-group string Modify ACLs for the specified consumer group resource.
--transactional-id string Modify ACLs for the specified TransactionalID resource.
--prefix When this flag is set, the specified resource name is interpreted as a prefix.
--cluster string Kafka cluster ID.
--context string CLI context name.
--environment string Environment ID.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--principal string REQUIRED: Principal for this operation with User: or Group: prefix.
--operation string REQUIRED: Set ACL Operation to: (`--all`, `--alter-configs`, `--alter`, `--cluster-action`, `--create`, `--delete`, `--describe-configs`, `--describe`, `--idempotent-write`, `--read`, `--write`).
--host string Set host for access. Only IP addresses are supported. (default "*")
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--cluster-scope Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the --prefix option was also passed.
--prefix Set to match all resource names prefixed with this value.
--url string Base URL of REST Proxy Endpoint of Kafka Cluster (include /kafka for embedded Rest Proxy). Must set flag or CONFLUENT_REST_URL.
--ca-cert-path string Path to a PEM-encoded CA to verify the Confluent REST Proxy.
--client-cert-path string Path to client cert to be verified by Confluent REST Proxy, include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--no-authentication Include if requests should be made without authentication headers, and user will not be prompted for credentials.
--prompt Bypass use of available login credentials and prompt for Kafka Rest credentials.
--context string CLI context name.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
Global Flags¶
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which may contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
Examples¶
You can specify only one of the following flags per command invocation: --cluster-scope
, --consumer-group
, --topic
, or --transactional-id
. For example, for a consumer to read a topic, you need to grant “READ” and “DESCRIBE” both on the --consumer-group
and the --topic
resources, issuing two separate commands:
confluent kafka acl create --allow --service-account sa-55555 --operations READ,DESCRIBE --consumer-group java_example_group_1
confluent kafka acl create --allow --service-account sa-55555 --operations READ,DESCRIBE --topic "*"
You can specify only one of the following flags per command invocation: --cluster-scope
, --consumer-group
, --topic
, or --transactional-id
. For example, for a consumer to read a topic, you need to grant “READ” and “DESCRIBE” both on the --consumer-group
and the --topic
resources, issuing two separate commands:
confluent kafka acl create --allow --principal User:Jane --operation READ --operation DESCRIBE --consumer-group java_example_group_1
confluent kafka acl create --allow --principal User:Jane --operation READ --operation DESCRIBE --topic "*"
You can run the previous example without logging in if you provide the embedded Kafka REST Proxy endpoint with the --url
flag.
confluent kafka acl create --url http://localhost:8090/kafka --allow --principal User:Jane --operation READ --operation DESCRIBE --consumer-group java_example_group_1
confluent kafka acl create --url http://localhost:8090/kafka --allow --principal User:Jane --operation READ --operation DESCRIBE --topic "*"
You can also run the example above without logging in if you provide the Kafka REST proxy endpoint with the --url
flag.
confluent kafka acl create --url http://localhost:8082 --allow --principal User:Jane --operation READ --operation DESCRIBE --consumer-group java_example_group_1
confluent kafka acl create --url http://localhost:8082 --allow --principal User:Jane --operation READ --operation DESCRIBE --topic "*"
See Also¶
- confluent kafka acl - Manage Kafka ACLs.