root
/
kafka
mirror of https://github.com/apache/kafka.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

KAFKA-18766:Docs: Make usage of allow.everyone.if.no.acl.found config clearer (#19077) 

In the documentation today, we have the following sentence:

By default, if no ResourcePatterns match a specific Resource R, then R
has no associated ACLs, and therefore no one other than super users is
allowed to access R. If you want to change that behavior, you can
include the following in server.properties.

Reviewers: TengYao Chi <kitingiao@gmail.com>, Andrew Schofield <aschofield@confluent.io>
 

Although, it is correct, I have observed users being confused by it. I
think could me made clearer that default is deny and this property is a
way to change default.
Change

Replace the above with the following:

 

Default Behavior Without ACLs:

If a resource (R) does not have any ACLs defined—that is, if no ACL
matches the resource—Kafka will restrict access to that resource. In
this situation, only super users are allowed to access it.

Changing the Default Behavior:

If you prefer that resources without any ACLs be accessible by all users
(instead of just super users), you can change the default behavior. To
do this, add the following line to your server.properties file:

 

allow.everyone.if.no.acl.found=true

With this setting enabled, if a resource does not have any ACLs defined,
Kafka will allow access to everyone. If a resource has one or more ACLs
defined, those ACL rules will be enforced as usual, regardless of the
setting.
This commit is contained in:
Iamoshione 2025-03-06 13:03:41 -05:00 committed by GitHub
parent 1da30bdedf
commit a9bc7c5889
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/security.html
View File

@ -1248,11 +1248,19 @@ sasl.mechanism.inter.broker.protocol=GSSAPI (or one of the other enabled mechani
Kafka ACLs are defined in the general format of "Principal {P} is [Allowed|Denied] Operation {O} From Host {H} on any Resource {R} matching ResourcePattern {RP}".
You can read more about the ACL structure in <a href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface">KIP-11</a> and
resource patterns in <a href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-290%3A+Support+for+Prefixed+ACLs">KIP-290</a>.
In order to add, remove, or list ACLs, you can use the Kafka ACL CLI <code>kafka-acls.sh</code>. By default, if no ResourcePatterns match a specific Resource R,
then R has no associated ACLs, and therefore no one other than super users is allowed to access R.
If you want to change that behavior, you can include the following in server.properties.
In order to add, remove, or list ACLs, you can use the Kafka ACL CLI <code>kafka-acls.sh</code>.
<h5><u>Behavior Without ACLs:</u></h5>
<p>If a resource (R) does not have any ACLs defined, meaning that no ACL matches the resource, Kafka will restrict
access to that resource. In this situation, only super users are allowed to access it.</p>
<h5><u>Changing the Default Behavior:</u></h5>
<p>If you prefer that resources without any ACLs be accessible by all users (instead of just super users), you can
change the default behavior. To do this, add the following line to your server.properties file:</p>
<pre><code class="language-text">allow.everyone.if.no.acl.found=true</code></pre>
One can also add super users in server.properties like the following (note that the delimiter is semicolon since SSL user names may contain comma). Default PrincipalType string "User" is case sensitive.
<p>With this setting enabled, if a resource does not have any ACLs defined, Kafka will allow access to everyone. If a
resource has one or more ACLs defined, those ACL rules will be enforced as usual, regardless of the setting.
One can also add super users in server.properties like the following (note that the delimiter is semicolon since SSL
user names may contain comma). Default PrincipalType string "User" is case sensitive.
</p>
<pre><code class="language-text">super.users=User:Bob;User:Alice</code></pre>
<h5 class="anchor-heading"><a id="kraft_principal_forwarding" class="anchor-link"></a><a href="#kraft_principal_forwarding">KRaft Principal Forwarding</a></h5>
@ -2367,3 +2375,4 @@ security.inter.broker.protocol=SSL</code></pre>
</script>
<div class="p-security"></div>