It turns out that kafka acls support wildcard principal, I missed this in the document.
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`: (principal=User:*, host=*, operation=ALL, permissionType=ALLOW) It is good now. ________________________________ From: Jun Wang <wj1...@hotmail.com> Sent: Monday, May 18, 2020 2:11 PM To: users@kafka.apache.org <users@kafka.apache.org> Subject: Re: ACLs - How To Allow Anyone To Access of A Topic I am testing in a dev. environment, maybe it does not make sense in production. See my detail explanation below and rephrase of the question: 1. I have mixed authenticated and unauthenticated user in the system. For example: listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093 Users comes to port 9092 is unauthenticated thus ANONYMOUS; Users comes to port 9093 is SASL anthenticated. 2. I want fine-grain access control over topic. so I default allow.everyone.if.no.acl.found=false 3. I want some topic to be private to certain user and some topic public to every one. |Topic Name |test1 | test2 | test3 | |----------------+------+--------+-------------| |ACLs | Bob | Alice | Everyone| The focus is on ALCs of test3 topic. Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`: line 1: (principal=User:ANONYMOUS, host=*, operation=ALL, permissionType=ALLOW) line 2: (principal=User:bob, host=*, operation=ALL, permissionType=ALLOW) // rule for Bob line 3: (principal=User:alice, host=*, operation=ALL, permissionType=ALLOW) // rule for Alice I have to set up explicit rule on line 1 to allow Anonymous access. and line 2 and line 3 for Bob and Alice. I thought line 1 already covers line 2 and line 3, thus line 2 and line 3 is redundant. Do we need line 2 and line 3 at all? Thanks Jun​ ________________________________ From: Andrew Otto <o...@wikimedia.org> Sent: Monday, May 18, 2020 11:51 AM To: users@kafka.apache.org <users@kafka.apache.org> Subject: Re: ACLs - How To Allow Anyone To Access of A Topic If I understand correctly, if your client authenticates, there must be an ACL for that principal, otherwise it will fail authorization. If you are going to allow everything anyway, perhaps you don't need to authenticate?