4.5 常见场景所需权限

权限类型 AclOperation

一些权限之间有隐含的包含关系

AclOperation	ResourceType	说明
WRITE	Topic	生产者写 Topic 必须有的权限	addPartitionsToTxn

WRITE	TransactionalId	生产者事务写，即设置 transactional.id，必须有此权限	initProducerId,addPartitionsToTxn,addOffsetsToTxn,endTxn
DESCRIBE	TransactionalId	生产者寻找 transaction coordinator 时需要此权限	handleFindCoordinatorRequest

IDEMPOTENT_WRITE	Cluster	生产者幂等写时需要此权限	initProducerId,

CREATE	Topic	生产者自动创建 Topic	Metadata,createTopic
CREATE	Cluster	生产者自动创建 Topic，如果有 Cluster 的权限，则不需要 Topic 的权限	Metadata,createTopic
DESCRIBE	Topic	ListOffsets, Metadata
ALTER	Topic	增加分区

AclOperation	ResourceType	说明
READ	Topic	消费者读取 Topic 必须有的权限	offsetCommit
READ	Group	消费者读取 Topic 必须有的权限	offsetCommit,joinGroup,heartbeat,leaveGroup,syncGroup,addOffsetsToTxn

DESCRIBE	Group	consumer 的用户必须对 `topic` 和 `group` 都有 `DESCRIBE` 权限，才能 fetchOffsets	offsetFetch,findCoordinator,describeGroup
DESCRIBE	Topic	ListOffsets, Metadata	offsetFetch

DESCRIBE	Cluster	list groups 操作需要 `CLUSTER` 的 `DESCRIBE` 权限	listGroups

AclOperation	ResourceType	说明
CLUSTER_ACTION	Cluster	follower 的用户必须对 `CLUSTER` 有 `ClusterAction` 权限，才能从 leader 拉取 partition 数据

AclOperation	ResourceType	说明
DESCRIBE	Cluster	获取权限配置	handleDescribeAcls

https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/acl/AclOperation.java
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/resource/ResourceType.java
https://medium.com/@nzaporozhets/getting-started-with-kafka-acls-14b16bbf83d1
https://docs.confluent.io/platform/current/kafka/authorization.html#operations
https://kafka.apache.org/27/documentation.html#operations_resources_and_protocols
https://kafka.apache.org/41/security/authorization-and-acls/#operations-and-resources-on-protocols