Confluent LDAP Authorizer

This is a commercial component of Confluent Platform.

Confluent LDAP Authorizer enables group-based authorization using the principal type Group as well as user-principal-based authorization using the principal type User. If a Deny rule matches the user principal or any of the groups that the user belongs to, access will be denied. Otherwise access is allowed if an Allow rule matches the user principal or any of the groups that the user belongs to.

You can also set the configuration option to true to allow access if no ACLs match the user or groups.


Use of the configuration option in production environments is strongly discouraged.

  • If you specify this option based on the assumption that you have ACLs, but then your last ACL is deleted, you essentially open up your Kafka clusters to all users.
  • If you’re using this option to disable ACLs, exercise caution: if someone adds an ACL, all the users who previously had access will lose that access.

Super users or super groups with access to all resources can be configured using the configuration option super.users. This may contain user principals as well as group principals. For example:


Kerberos users with LDAP servers that provide Kerberos authentication as well group management can use the same LDAP server (e.g. Active Directory or Apache Directory Server) for both authentication and group-based authorization. Brokers using other security protocols or SASL mechanisms may also use group-based authorization using LDAP without using the LDAP server for authentication.