You could limit the access to zookeeper, with kerberos, or with a firewall. For example to only allow connections to zookeeper from the cluster itself, this way you need to access those machines to be able to set acls. The create permission is used for creating topics I think, there is no acl to limit setting acl's.
On Tue, Oct 4, 2016 at 4:17 PM Shrikant Patel <spa...@pdxinc.com> wrote: > Hi All, > > How can I restrict who can modify ACLs for kafka cluster? Anyone can use > kafka-acls cli to modify the acl. > > I added superuser and thought that when we are running the kafka-acls, it > validates that only spatel user can run this command. So what prevents user > on n\w trying to modify ACLs. > > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > super.users=User:CN=spatel-lt.nhsrx.com,OU=arch,O=pdx inc,L=fort > worth,ST=tx,C=us > > Current ACLs for resource `Cluster:kafka-cluster`: > User:CN=spatel-lt,OU=arch,O=pdx inc,L=fort worth,ST=tx,C=us has > Allow permission for operations: Create from hosts: * > > Am I missing anything??? > > Thanks in advance, > Shri > ______________________________________________________________ > Shrikant Patel | PDX-NHIN > Enterprise Architecture Team > Asserting the Role of Pharmacy in Healthcare www.pdxinc.com< > http://www.pdxinc.com/> > main 817.246.6760 | ext 4302 > 101 Jim Wright Freeway South, Suite 200, Fort Worth, Texas 76108-2202< > http://maps.google.com/maps?q=PDX,+Inc.&hl=en&sll=32.758696,-97.476397&sspn=0.006295,0.006295&filter=0&update=1&t=h&z=17&iwloc=A > > > > > P Please consider the environment before printing this email. > > This e-mail and its contents (to include attachments) are the property of > National Health Systems, Inc., its subsidiaries and affiliates, including > but not limited to Rx.com Community Healthcare Network, Inc. and its > subsidiaries, and may contain confidential and proprietary or privileged > information. If you are not the intended recipient of this e-mail, you are > hereby notified that any unauthorized disclosure, copying, or distribution > of this e-mail or of its attachments, or the taking of any unauthorized > action based on information contained herein is strictly prohibited. > Unauthorized use of information contained herein may subject you to civil > and criminal prosecution and penalties. If you are not the intended > recipient, please immediately notify the sender by telephone at > 800-433-5719 or return e-mail and permanently delete the original e-mail. >
