Overview

Kafka Access Control Lists (ACLs) provide a robust authorization framework that determines which authenticated users can perform specific operations on Kafka resources. This comprehensive guide explores Kafka ACL concepts, configuration approaches, management tools, and best practices for implementing effective authorization in your Kafka deployments.

Understanding Kafka Authorization and ACLs

Kafka authorization determines what an authenticated entity can do once its identity has been verified. Similar to how an ATM allows you access only to your accounts after PIN verification, Kafka enables specific actions for authenticated clients based on their permissions[16]. Authorization in Kafka is implemented through Access Control Lists (ACLs), which specify which users can perform which operations on specific resources.

Core Authorization Concepts

The authorization framework in Kafka is pluggable and configured using the authorizer.class.name property. Two primary authorizer implementations are available:

• AclAuthorizer : For ZooKeeper-based clusters, storing ACLs in ZooKeeper

• StandardAuthorizer : For KRaft-based clusters, storing ACLs in the cluster metadata[17]

Each ACL consists of five core components that together define a permission:

Additionally, ACLs can specify a host parameter (IP address) to limit connections from specific locations, and pattern types (LITERAL, PREFIX, or WILDCARD) to match resources[16].

The Default Behavior

By default, if a resource has no associated ACLs, access is determined by the allow.everyone.if.no.acl.found property. Amazon MSK sets this to true by default, meaning resources without explicit ACLs are accessible to all principals[9]. However, once you add ACLs to a resource, only authorized principals can access it.

SASL Authentication with Kafka ACLs

Before authorization can occur, clients must be authenticated. Kafka commonly uses Simple Authentication and Security Layer (SASL) mechanisms, which provide the authenticated identities that ACLs reference.

SASL Mechanisms for Authentication

Kafka supports several SASL mechanisms, each with different security characteristics:

It's important to distinguish between SASL/PLAIN (the authentication mechanism) and SASL_PLAINTEXT/SASL_SSL (the security protocol). The former refers to username/password credentials, while the latter indicates whether the connection is encrypted with TLS.

Configuring Kafka ACLs

Setting up ACLs involves both broker and client configuration steps.

Broker Configuration

To enable ACL authorization on Kafka brokers, add the following to server.properties :

## Enable ACL authorization
authorizer.class.name=kafka.security.authorizer.AclAuthorizer

## Default permission when no ACLs exist for a resource
allow.everyone.if.no.acl.found=true

## Enable SASL mechanisms
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-512

## Configure security protocol
listeners=SASL_SSL://hostname:9093
security.inter.broker.protocol=SASL_SSL

JAAS Configuration

Java Authentication and Authorization Service (JAAS) configuration is essential for SASL authentication. For brokers, JAAS configuration should be prefixed with the listener name and SASL mechanism[12]:

listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
    username="admin" \
    password="admin-secret" \
    user_admin="admin-secret" \
    user_alice="alice-secret";

Client Configuration

Clients need corresponding configuration to authenticate to the broker:

bootstrap.servers=hostname:9093
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
    username="alice" \
    password="alice-secret";

Managing Kafka ACLs

Various tools are available for creating, listing, and deleting ACLs in Kafka.

Command-Line Tools

The primary tool for managing ACLs is the kafka-acls command-line interface:

kafka-acls --bootstrap-server localhost:9092 \
  --command-config admin-client.properties \
  --add \
  --allow-principal User:alice \
  --operation Read \
  --operation Write \
  --topic orders

Redpanda provides rpk acl commands for similar functionality:

rpk acl create \
  --allow-principal 'User:Charlie' \
  --operation all \
  --topic pings

Confluent Platform offers the confluent kafka acl command suite with additional capabilities[13].

GUI Tools

Conduktor provides a graphical interface for ACL management with views for visualizing relationships between principals and resources. It offers a wizard to simplify ACL creation based on common use cases and supports importing/exporting ACLs in CSV format[7].

Importing and Exporting ACLs

For managing ACLs at scale, tools like Kafka Security Manager (KSM) allow using external sources (like GitHub repositories) as the source of truth for ACLs. This provides auditability, rollback capabilities, and prevents unauthorized ACL modifications directly in Kafka[14].

Common Use Cases and ACL Patterns

Different scenarios require different ACL configurations:

Producer Access

To grant a user write access to a topic:

kafka-acls --bootstrap-server localhost:9092 \
  --add \
  --allow-principal User:producer \
  --operation Write \
  --operation Create \
  --operation Describe \
  --topic orders

Consumer Access

To grant a user read access to a topic and consumer group:

kafka-acls --bootstrap-server localhost:9092 \
  --add \
  --allow-principal User:consumer \
  --operation Read \
  --operation Describe \
  --topic orders \
  --group order-processors

Admin Access

For administrative users who need cluster-wide permissions:

kafka-acls --bootstrap-server localhost:9092 \
  --add \
  --allow-principal User:admin \
  --operation All \
  --cluster

KRaft Mode Considerations

When using KRaft mode (ZooKeeper-less Kafka), some special considerations apply:

• KRaft-backed clusters cannot use SCRAM for controller-to-controller authentication

• SASL credentials should be created before brokers start running

• For KRaft with SASL/PLAIN, you need the configuration property sasl.mechanism.controller.protocol=PLAIN [3]

Best Practices for Kafka ACLs

Implementing the following practices can enhance security and manageability:

Security Recommendations

• Always use TLS with SASL to encrypt credentials in transit

• Prefer SASL/SCRAM or SASL/GSSAPI over SASL/PLAIN in production environments

• Implement proper credential management and rotation procedures

• Configure ACLs with the principle of least privilege

• Regularly audit and review ACL assignments

Mechanism Selection

Choose your SASL mechanism based on your existing infrastructure:

Avoiding Common Issues

• Always use TLS with SASL/PLAIN to prevent credential exposure

• Ensure correct JAAS configuration for each listener and mechanism

• When using KRaft mode, set super.users correctly to allow broker-to-controller communication

• Verify that client configurations match broker configurations for the selected mechanism[12]

Troubleshooting Common ACL Issues

Common authorization and authentication issues include:

• SaslAuthenticationException : Verify correct credentials and SASL mechanism configuration

• SSL handshake failed : Check TLS certificates and truststore/keystore configuration

• Could not find KafkaServer entry in JAAS configuration : Ensure proper JAAS configuration for controllers in KRaft mode

• Unexpected Kafka request during SASL handshake : Verify client is properly configured for SASL authentication

Conclusion

Kafka ACLs provide a flexible and powerful mechanism for controlling access to your Kafka resources. By understanding the core concepts, implementing appropriate authentication mechanisms, and following best practices, you can create a secure and well-managed Kafka deployment that balances security needs with operational requirements.

Remember that ACLs are just one component of a comprehensive security strategy for Kafka. Combining ACLs with proper network security, TLS encryption, and secure credential management creates a defense-in-depth approach that effectively protects your Kafka infrastructure and data.

If you find this content helpful, you might also be interested in our product AutoMQ. AutoMQ is a cloud-native alternative to Kafka by decoupling durability to S3 and EBS. 10x Cost-Effective. No Cross-AZ Traffic Cost. Autoscale in seconds. Single-digit ms latency. AutoMQ now is source code available on github. Big Companies Worldwide are Using AutoMQ. Check the following case studies to learn more:

• Grab: Driving Efficiency with AutoMQ in DataStreaming Platform

• Palmpay Uses AutoMQ to Replace Kafka, Optimizing Costs by 50%+

• AutoMQ help Geely Auto(Fortune Global 500) solve the pain points of Kafka elasticity in the V2X scenario

• How Asia’s Quora Zhihu uses AutoMQ to reduce Kafka cost and maintenance complexity

• XPENG Motors Reduces Costs by 50%+ by Replacing Kafka with AutoMQ

• Asia's GOAT, Poizon uses AutoMQ Kafka to build observability platform for massive data(30 GB/s)

• AutoMQ Helps CaoCao Mobility Address Kafka Scalability During Holidays

• JD.comx AutoMQ x CubeFS: A Cost-Effective Journey at Trillion-Scale Kafka Messaging

References

1. Kafka-ACLs CLI Error with Confluent Cloud Instance

2. Kafka Security: Managing Consumer Groups Across

3. Migrating Security ACLs to New Cluster (KRaft)

4. Java KafkaAdminClient: Querying ACLs by Principal

5. KafkaTopical: The Kafka UI for Engineers and Admins

6. MirrorMaker Seems Too Complicated for What It Is

7. Kafka Access Control List (ACL)

8. Built-in Security with ACLs

9. Amazon MSK ACLs

10. Access Management Authorization ACL

11. Simple ACL Authorization

12. How to Manage Kafka ACLs for Enhanced Security

13. Confluent Kafka ACL List

14. Kafka Security Manager

15. Creating an ACL

16. Security Authorization

17. ACLs Overview

18. Kafka ACL Management

19. How Can I Start Kafka with User Anonymous

20. Kafka KRaft Authentication

21. AWS MSK ACL

22. Gathering Opinions on Kafka Management Tools

23. Company Decide to Use Kafka MSK

24. What's the Most Complex Piece of Technology In

25. MSK Topic Level Security

26. How Do You Identify Producers Writing to Kafka

27. AWS MSK Kafka ACL Infrastructure as Code

28. I Made a New GUI for Apache Kafka

29. A List of GUI Tools for Working with Apache Kafka

30. Kafka Alternatives Most DE Job Descriptions Want

31. Manage Network Policies and Kafka ACLs in a

32. Looking for Resources on Kafka/Confluent CI/CD Best

33. ZooKeeper ACLs Kafka

34. Managing ACLs

35. Access Control ACL

36. ACLs Advanced Insights

37. Secure Kafka Deployment Best Practices

38. Configuring Kafka

39. Confluent CLI Kafka ACL Index

40. What are the Necessary Kafka Permissions Required by Conduktor Console

41. Authorization ACL

42. Essential Kafka Security Best Practices for 2024

43. For Some Reason My Mirror Maker 2 Runs But Does

44. Are Micro Services That Both Produce and Consume

45. Deep Dive into Apache Kafka Storage Internals

46. Why Kafka and Not FIFO Queues for Cloud Providers

47. Keeping Track of Users

48. MirrorMaker2 Not Replicating Any Consumer Groups

49. What Do You Think is the Biggest Differences

50. What Do You Do for Syslog

51. Configuring Security for Kafka is More

52. What Can Linux Do That Windows Server Can't

53. Logging to Syslog Server

54. Kafka vs RabbitMQ

55. A Deep Dive into Apache Kafka Challenges and Solutions

56. Apache Kafka Concepts: Authorization and ACLs Explained

57. System Design Deep Dives: Kafka

58. Improve Kafka Security with ACLs

59. Get Started with Kafka Architecture

60. Confluent Platform Discussions

61. Kafka ACL Issues Using Java Code

62. Kafka Architecture Deep Dive

63. Deep Dive into Apache Kafka's Advanced Capabilities

64. Getting Started: Apache Kafka .NET

65. Kafka in K8s

66. Blog on Multinode KRaft-based Kafka Cluster

67. Jikkou: Declarative ACLs Configuration for Apache Kafka

68. Suggestions for UI for AWS Managed Kafka

69. How We Reset Kafka Offsets on Runtime

70. Most Frustrating Parts of Kafka

71. Databricks and Snowflake: Social Media Discussion

72. Integration Digest for February 2025

73. Actively Maintained Official Golang Resources

74. Kafka Authentication Issue

75. Building Data Warehouse Using Kafka

76. No Access to Topic in Heroku Kafka

77. Kafka Encryption and Security Best Practices

78. Security for Humans and Applications in Apache Kafka

79. How to Set Up Redpanda Kafka

80. Kafka Security Best Practices Guide

81. Kafka Architecture and Tools Guide

82. Kafka Security Learning Guide

83. Redpanda Cloud Documentation

84. Apache Kafka SASL/SSL Configuration Issues

85. Software Architecture Hot Posts

86. GraphQL New Posts

87. EDI Rising Posts

88. How to Get Current ACLs Details from Kafka Cluster

89. Red Hat AMQ Streams: Configuring Kafka

90. Configuring ACL for Kafka Topic

91. Kafka UI Access Control Lists

92. Lost Trying to Understand the Current State of .NET

93. EC2 Most Basic Ubuntu Server Becomes Unresponsive

94. Web Development Has to be One of the Most

95. Issues Adding ACLs in KRaft Mode Kafka Cluster

96. Kafka ACLs Preventing Client Connection

97. Kafka Service Broken After Applying ACL

98. Kafka ACLs Unable to Describe Group or View Offsets

99. Is Anyone Exposing Kafka Publicly?

100. Looking for Suggestions on the Definitive Guide v2

101. Protect Sensitive Data and Prevent Bad Practices

102. I Built a Kafka GUI Client for Operating Kafka

103. I am Newly Joined in a Company and I was Given a

104. IBM Developer