| layout | title | categories | author | lang |
|---|---|---|---|---|
post |
Understanding OVH Kafka users and rights |
queue |
thbkrkr |
en |
This tutorial assumes you already have an OVH account, have subscribed to OVH Kafka and have created an OVH Kafka application.
If you do not have an OVH account, you may create one here.
This guide will help you to understand how to create users and roles to restrict topics access and how to configure SSL in your client.
OVH Kafka has been upgraded to use the latest Kafka version 0.10.0.1 that brings SASL (authentication) and SSL (encryption).
SASL for Kafka means authentication of connections to brokers from clients and authorization of read/write operations by clients.
Like your topics all your users and consumer groups must be prefixed with your namespace.
- topics:
<namespace>.<topicname>(ex: myapp42.mytopic) - users:
<namespace>.<user>(ex: myapp42.myuser) - consumer groups:
<namespace>.<user>.<consumergroup>(ex: myapp42.myuser.mygroup)
For each OVH Kafka application, you can create as many users and roles as you want to give rights to READ and/or to WRITE on one or more topics.
- A user has a name and one or more roles.
- A role has a name and one or more topics ACL for read and write.
- The star ('*') to match several topics is supported in topics ACL.
- A role has one ACL to authorize the topics auto-creation.
For all newly created apps, some users and roles are automatically created:
- User
<namespace>.readerwith read-only access on all topics - User
<namespace>.writerwith write-only access on all topics - User
<namespace>.adminwith read, write, and auto-create access on all topics
Here we first create a role named myrole to allow:
- READ on all topics (
<namespace>.*) - WRITE on the
<namespace>.eventsand<namespace>.logstopics - the ability to create new topics automatically on production and consumption
POST /dbaas/queue/<appID>/role -d '{
"name": "myrole",
"readAcl": ["<namespace>.*"],
"writeAcl": ["<namespace>.events","<namespace>.logs"],
"autoCreateAcl": true
}'
Response:
{
"name": "myrole",
"readAcl": ["<namespace>.*"],
"writeAcl": ["<namespace>.events","<namespace>.logs"],
"autoCreateAcl": true
}
Then a user <namespace>.bob is created with the myrole role:
POST /dbaas/queue/<appID>/user -d '{
"name": "<namespace>.bob",
"roles": ["myrole"]
}'
Response:
{
"id": "zziotuocuoc2a",
"name": "<namespace>.bob",
"password": "tgRkrRlolUK2Ov4RN5F",
"roles": ["myrole"]
}
Each user has an auto generated password, that you can regenerate using the API.
There is no particular ACL on consumer groups, however you must use a consumer group name that is prefixed by your user name.
Example: if your user is myApp.Toto, you can use myApp.Toto.GroupA as consumer group name.
Exception: any user who is assigned the default "admin" role can access all your users consumer groups.
Users and roles are now available in the Sunrise Manager:
You need to configure your Kafka client to use TLS. In most clients it is enough to enable a boolean.
Here are examples to configure your Kafka client to use SASL and SSL: