Skip to content

ACL Authorization

RobustMQ Kafka implements Kafka's ACL management APIs (CreateAcls / DescribeAcls / DeleteAcls): ACL rules can be created, described, deleted, and persisted to meta-service.

Current state (please note): ACLs can be created/described/deleted and are persisted, but they are not yet wired into request authorization. The request path never reads ACLs, so nothing is actually blocked today — no Produce / Fetch / metadata operation is gated. The authorized_operations field in responses such as Metadata always returns a sentinel value (not computed). ACLs are "manageable authorization metadata" — useful for pre-configuration or migration rehearsals, but they do not constitute access control.

ACL model

The Kafka wire model fields:

FieldMeaning
resource_typeresource type. Only TOPIC is accepted
resource_nameresource name (topic name)
pattern_typematch pattern. Only LITERAL (exact) is accepted
principalprincipal, e.g. User:alice or ClientId:x (missing :InvalidPrincipalType)
hostsource host; empty is normalized to *
operationoperation, mapped to an internal action: ALL → all, READ → subscribe, WRITE → publish; others → InvalidRequest
permission_typeALLOW / DENY

A non-TOPIC resource, or a non-LITERAL pattern, returns InvalidRequest.

Filter matching

DescribeAcls / DeleteAcls match via a filter: enum fields set to ANY match anything; string filters (resource name, principal, host) match anything when empty, otherwise do exact string equality. True prefix/wildcard matching (PREFIXED / MATCH) is not yet implemented.

CLI examples

bash
# Grant alice READ on topic orders
kafka-acls.sh --bootstrap-server localhost:9092 \
  --add --allow-principal User:alice \
  --operation Read --topic orders

# List
kafka-acls.sh --bootstrap-server localhost:9092 --list --topic orders

# Remove
kafka-acls.sh --bootstrap-server localhost:9092 \
  --remove --allow-principal User:alice \
  --operation Read --topic orders

Like other security data, ACLs are persisted through Raft and broadcast to every broker's cache (see Overview).

Limitations at a glance

LimitationDetail
Not enforcednot consulted during request authorization; nothing is blocked
Resource typeTOPIC only
Pattern typeLITERAL only; no prefix/wildcard matching
Operationsonly ALL / READ / WRITE are mappable
authorized_operationsalways a "not computed" sentinel in responses
🎉 既然都登录了 GitHub,不如顺手给我们点个 Star 吧!⭐ 你的支持是我们最大的动力 🚀