confluent kafka acl create

Description

Create a Kafka ACL.

confluent kafka acl create [flags]

Flags

    --operations strings        REQUIRED: A comma-separated list of ACL operations: (alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
    --principal string          Principal for this operation, prefixed with "User:".
    --service-account string    The service account ID.
    --allow                     Access to the resource is allowed.
    --deny                      Access to the resource is denied.
    --cluster-scope             Modify ACLs for the cluster.
    --topic string              Modify ACLs for the specified topic resource.
    --consumer-group string     Modify ACLs for the specified consumer group resource.
    --transactional-id string   Modify ACLs for the specified TransactionalID resource.
    --prefix                    When this flag is set, the specified resource name is interpreted as a prefix.
    --cluster string            Kafka cluster ID.
    --context string            CLI context name.
    --environment string        Environment ID.
-o, --output string             Specify the output format as "human", "json", or "yaml". (default "human")

    --principal string          REQUIRED: Principal for this operation with User: or Group: prefix.
    --operation string          REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
    --host string               Set host for access. Only IP addresses are supported. (default "*")
    --allow                     ACL permission to allow access.
    --deny                      ACL permission to restrict access to resource.
    --cluster-scope             Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
    --consumer-group string     Set the Consumer Group resource.
    --transactional-id string   Set the TransactionalID resource.
    --topic string              Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the --prefix option was also passed.
    --prefix                    Set to match all resource names prefixed with this value.
    --url string                Base URL of REST Proxy Endpoint of Kafka Cluster (include /kafka for embedded Rest Proxy). Must set flag or CONFLUENT_REST_URL.
    --ca-cert-path string       Path to a PEM-encoded CA to verify the Confluent REST Proxy.
    --client-cert-path string   Path to client cert to be verified by Confluent REST Proxy, include for mTLS authentication.
    --client-key-path string    Path to client private key, include for mTLS authentication.
    --no-authentication         Include if requests should be made without authentication headers, and user will not be prompted for credentials.
    --prompt                    Bypass use of available login credentials and prompt for Kafka Rest credentials.
    --context string            CLI context name.
-o, --output string             Specify the output format as "human", "json", or "yaml". (default "human")

Global Flags

-h, --help            Show help for this command.
    --unsafe-trace    Equivalent to -vvvv, but also log HTTP requests and responses which may contain plaintext secrets.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

Examples

You can specify only one of the following flags per command invocation: --cluster-scope, --consumer-group, --topic, or --transactional-id. For example, for a consumer to read a topic, you need to grant “read” and “describe” both on the --consumer-group and the --topic resources, issuing two separate commands:

confluent kafka acl create --allow --service-account sa-55555 --operations read,describe --consumer-group java_example_group_1
confluent kafka acl create --allow --service-account sa-55555 --operations read,describe --topic "*"

You can specify only one of the following flags per command invocation: --cluster-scope, --consumer-group, --topic, or --transactional-id. For example, for a consumer to read a topic, you need to grant “read” and “describe” both on the --consumer-group and the --topic resources, issuing two separate commands:

confluent kafka acl create --allow --principal User:Jane --operation read --consumer-group java_example_group_1
confluent kafka acl create --allow --principal User:Jane --operation read --topic "*"

You can run the previous example without logging in if you provide the embedded Kafka REST Proxy endpoint with the --url flag.

confluent kafka acl create --url http://localhost:8090/kafka --allow --principal User:Jane --operation read --consumer-group java_example_group_1
confluent kafka acl create --url http://localhost:8090/kafka --allow --principal User:Jane --operation read --topic "*"

You can also run the example above without logging in if you provide the Kafka REST proxy endpoint with the --url flag.

confluent kafka acl create --url http://localhost:8082 --allow --principal User:Jane --operation read --consumer-group java_example_group_1
confluent kafka acl create --url http://localhost:8082 --allow --principal User:Jane --operation read --topic "*"

See Also