.. _c3-auth-acls: Configuring |c3-short| to work with |ak| ACLs ============================================= .. important:: Before attempting to create and use ACLs, you should familiarize yourself with :ref:`acl-concepts`. Doing so can help you avoid common pitfalls that can occur when creating and using ACLs to manage access to components and cluster data. Standard |ak-tm| authorization and encryption options are available for :ref:`control center ` and :ref:`interceptors `. .. note:: Only export ``PRINCIPAL`` if you have already defined the JAAS properties or user certificates. Also, you must create the |ak| ACLs before starting |c3-short|. You must then configure |c3-short| to authenticate to |ak| as the principal that is specified for the ACL. You can use this script to create the ACLs that are required by |c3-short| to operate on an authorized cluster. You must run this script before you start |c3-short|: .. sourcecode:: bash export PRINCIPAL=User:username export CONTROL_CENTER_OPTS="-Djava.security.auth.login.config=" bin/control-center-set-acls config/control-center.properties .. important:: The principal specified here is the |ak| user, the same as specified in :ref:`Kafka Broker `. For each |ak| topic that |c3| creates, ACLs are created to grant the specified principal the following privileges: - CREATE - WRITE - DESCRIBE - DESCRIBE_CONFIGS - READ The following ACLs are created to grant the specified principal privileges for the consumer group related to the |c3| Streams application: - READ ACLs granting the following privileges are also created for the cluster: - DESCRIBE - DESCRIBE_CONFIGS You must export a |c3-short| JAAS config before starting |c3-short|. .. sourcecode:: bash export CONTROL_CENTER_OPTS='-Djava.security.auth.login.config=' bin/control-center-start config/control-center.properties