Hello, Based on my personal experience, and I'm sure many would agree, managing Kafka ACLs is really a pain in production scenarios. I have seen many projects simply ignore ACLs entirely, or even if they tried initially, eventually all microservices are simply assigned admin rights to avoid operational load.
There are already some custom Authorizers that go beyond simple ACL rules, but they usually rely on external authorization providers and this creates additional operational load and potential points of failure. I'm inviting you to discuss the possibility of a "Pattern Authorizer" that uses a convention-over-configuration approach to assign permissions. Instead of centralized state, it assigns permissions based on patterns encoded right into the client's principal (ideally extracted from CN in mTLS certificate). The core rules for these permission patterns are straightforward: * Producer Access: Encoded as just the topic name, thus `orders` grants write access to the `orders` topic. * Consumer Access: Encoded as `TopicName@GroupName`, this `orders@shipping` grants read access to the `orders` topic for the `shipping` consumer group. * Multiple Permissions: Joined using the pipe `|` character. So `orders|payments@shipping` grants producer access to `orders` and consumer access to `payments` for the `shipping` group. * Wildcards: `*` grants producer access to all topics, `*@*` grants full consumer access across all groups. Because the **identity is the permission**, this eliminates the need for stateful ACL management. This is beneficial in event processing platforms where clients are allowed to publish to topics with their principal names without any need to manage them individually. It also works well in Kubernetes + cert-manager, so that developers can simply declare their required access as code in Certificate manifests along with the deployment code. Encoding permissions into the principal inherently changes its semantic meaning. But at least for auditing purposes we still have `client.id` to identify the connecting application. I already have a working open-source implementation of this logic, but I believe having this standardized or even natively available would greatly benefit the community. It's available here: https://github.com/rmrustem/kafka-pattern-authorizer I'd love to hear your thoughts on this approach. Thank you! -Rustem
