This is an automated email from the ASF dual-hosted git repository.
mimaison pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 64ea310b MINOR: Fix docs in security.html (#461)
64ea310b is described below
commit 64ea310bd4c507054c663a93e204e19209ca0430
Author: JK-Wang <[email protected]>
AuthorDate: Tue Jan 24 22:48:19 2023 +0800
MINOR: Fix docs in security.html (#461)
Reviewers: Mickael Maison <[email protected]>
---
33/security.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/33/security.html b/33/security.html
index f401c1c1..e640b537 100644
--- a/33/security.html
+++ b/33/security.html
@@ -1516,7 +1516,7 @@
RULE:[n:string](regexp)s/pattern/replacement/g/U</code></pre>
Suppose you want to add an acl "Principals User:Bob and User:Alice
are allowed to perform Operation Read and Write on Topic Test-Topic from IP
198.51.100.0 and IP 198.51.100.1". You can do that by executing the CLI with
following options:
<pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--add --allow-principal User:Bob --allow-principal User:Alice --allow-host
198.51.100.0 --allow-host 198.51.100.1 --operation Read --operation Write
--topic Test-topic</code></pre>
By default, all principals that don't have an explicit acl that
allows access for an operation to a resource are denied. In rare cases where an
allow acl is defined that allows access to all but some principal we will have
to use the --deny-principal and --deny-host option. For example, if we want to
allow all users to Read from Test-topic but only deny User:BadBob from IP
198.51.100.3 we can do so using following commands:
- <pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--add --allow-principal User:* --allow-host * --deny-principal User:BadBob
--deny-host 198.51.100.3 --operation Read --topic Test-topic</code></pre>
+ <pre class="line-numbers"><code class="language-bash">>
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
--add --allow-principal User:'*' --allow-host '*' --deny-principal User:BadBob
--deny-host 198.51.100.3 --operation Read --topic Test-topic</code></pre>
Note that <code>--allow-host</code> and <code>--deny-host</code>
only support IP addresses (hostnames are not supported).
Above examples add acls to a topic by specifying --topic
[topic-name] as the resource pattern option. Similarly user can add acls to
cluster by specifying --cluster and to a consumer group by specifying --group
[group-name].
You can add acls on any resource of a certain type, e.g. suppose
you wanted to add an acl "Principal User:Peter is allowed to produce to any
Topic from IP 198.51.200.0"
