Kafka ACL Management

Warning: It is not recommended that you use the Kafka ACLs to grant higher privileges than the default given by Instaclustr. This could result in your cluster being unrecoverable and not covered under Instaclustr’s SLA’s. If you require any other configuration, please submit a support request before making any changes beyond those outlined below.

Kafka ACL Management via Kafka CLI

Kafka has built in Access Control Lists so that you can control what users and hosts are allowed to do. Instaclustr has enabled the modification of these consoles. Currently, this is accessed through the Kafka CLI.

The default ickafka user is given the ability to modify ACLs by default. If this user is deleted before you have made the required ACL changes please contact the Technical Operations team and they will be able to recover this for you.

Set Up the Kafka CLI

Instructions for setting up the Kafka CLI can be found on the Connection Info page after you have set up a Kafka cluster 

List the ACLs

  1. Once you have set up the Kafka.properties file as described above you will be able to list the ACLs.
  2. In the bin directory of your kafka cli run:
  3. This should return a list of ACLs for all users
  4. Results can be further filtered by user or host, for example:
  5. The ACLs first list the ResourceGroup, then underneath each line lists User:Operation

Alter the ACLs for Users

Instaclustr by default gives all users created through the dashboard or the API the right to produce or consume from any topic.

Kafka ACLs work on the principle that Deny takes precedence over Allow. So if a user has both Deny and Allow to the one operation on the one resource group, that user will be denied.

Therefore, when considering altering the default Instaclustr Kafka ACLs, do not think about allowing users access to resources, think in the mindset of denying them, as by default they are allowed.

Note: Kafka also assumes that unless there is a specific Allow ACL then the default is Deny.

Altering Kafka User ACLs

Examples of adding ACLs for Kafka users are below:

Examples of removing ACLs for Kafka users below:

Host ACLs

Kafka ACLs also allow restrictions from hosts with the –allow-host or –deny-host flags. Note: IP addresses are only supported. Hostnames are not supported.

Additional ACL Options

The Kafka-acls.sh tool provides some convenience flags for the most common requirements.  These are as follows.

–producerConvenience option to add/remove ACLs for producer role. This will generate ACLs that allows WRITE, DESCRIBE and CREATE on topic.
–consumerConvenience option to add/remove ACLs for consumer role. This will generate ACLs that allows READ, DESCRIBE on topic and READ on consumer-group.

Different Resource Groups

The examples given so far have been limited to users and topics. However, Kafka can have ACLs added at the cluster or group level also. You can also permit more broadly by specifying * on a resource group.

You can also add ACLs on prefixed resource patterns, the default resource pattern is LITERAL, which performs exact name matching. However, you could do something similar to add an ACL to all topics starting with Instaclustr

Kafka ACL Management via Instaclustr API

Instaclustr provides an ACL Management API for Kafka clusters to help you with managing users’ ACL. The ACL  Management API supports the following functions:

  • List ACLs
  • Search (Filter) ACLs
  • Create an ACL
  • Delete ACLs

These examples show how to use the features of the Instaclustr ACL Management API.

For each endpoint listed below, all requests must include basic authentication details:

List ACLs

  1. To retrieve a list of ACLs currently available in the Kafka cluster, make a GET request to:

  2. The API should respond with a 200 status code and a JSON containing the list of ACLs. E.g.:

Search ACLs

  1. To retrieve a list of ACLs currently available in the Kafka cluster, make a POST request to:


    A request body needs to be included specifying the principal, host, resource type, resource name, operation, permission type, and pattern type. E.g.:


    Valid values for resource type, operation, permission type, and pattern type are case insensitive:

    • resourceType: any, cluster, transactional_id, topic, group, delegation_token
    • permissionType: any, allow, deny
    • patternType: any, match, literal, prefixed. literal and prefixed is the actual pattern type of the ACL, whereas patternType match are some special matching type, refer to https://kafka.apache.org/documentation/ and search for –resource-pattern-type for more information on how match works
    • principal: prefixed by User:. Also takes in wildcard * (User:*)
    • host: any string. Also takes in wildcard *
    • resourceName: any string that fits the resource name, e.g., topic name if the resource type is TOPIC
    • operation: any, all, read, write, create, delete, alter, describe, cluster_action, describe_configs, alter_configs, idempotent_write
    • All of the keys are optional, if not supplied it will match any values for that key
  2. On a successful request, the API should respond with a 200 status code and a JSON containing the list of ACLs that fits the search criteria supplied in the request body. E.g.:

Create an ACL

  1. To create a new ACL to the Kafka cluster make a POST request to:


    A request body needs to be included, specifying the principal, host, resource type, resource name, operation, permission type, and pattern type. E.g.:


    Valid values for resource type, operation, permission type, and pattern type are case insensitive :

    • resourceType: cluster, transactional_id, topic, group, delegation_token
    • permissionType: allow, deny
    • patternType: literal, prefixed. 
    • principal: prefixed by User:. Also takes in wildcard * (User:*)
    • host: any string. Also takes in wildcard *
    • resourceName: any string that fits the resource name, e.g., topic name if the resource type is TOPIC
    • operation: all, read, write, create, delete, alter, describe, cluster_action, describe_configs, alter_configs, idempotent_write
    • All of the keys are required
  2. On a successful request, the API should respond with a 200 status code and a short message. E.g.


    Once this message is received, the ACL should be immediately effective in the Kafka cluster.

Delete ACLs

  1. To delete existing ACLs from the Kafka cluster make a DELETE request to:


    A request body needs to be included specifying the principal, host, resource type, resource name, operation, permission type, and pattern type. E.g.:


    Valid values for resource type, operation, permission type, and pattern type are case insensitive:

    • resourceType: any, cluster, transactional_id, topic, group, delegation_token
    • permissionType: any, allow, deny
    • patternType: any, match, literal, prefixed. literal and prefixed is the actual pattern type of the ACL, whereas patternType match are some special matching type, refer to https://kafka.apache.org/documentation/ and search for –resource-pattern-type for more information on how match works
    • principal: prefixed by “User:”. Also takes in wildcard * (User:*)
    • host: any string. Also takes in wildcard *
    • resourceName: any string that fits the resource name, e.g., topic name if the resource type is TOPIC
    • operation: any, all, read, write, create, delete, alter, describe, cluster_action, describe_configs, alter_configs, idempotent_write
    • All of the keys are required
  2. On successful request, the ACL that fits the criteria / filter will be deleted, and the API should respond with a 200 status code. Additionally, a short message is given. E.g.

Kafka ACL Management via Instaclustr Terraform Provider

Instaclustr also provides a way to manage Kafka ACL using Terraform. For more information and examples, have a look at

The documentation for the ACL resource is located in docs/resources/kafka_acl.md and the ACL data source is located in docs/data-sources/kafka_acl.md .

By Instaclustr Support
Need Support?
Experiencing difficulties on the website or console?
Already have an account?
Need help with your cluster?
Contact Support
Why sign up?
To experience the ease of creating and managing clusters via the Instaclustr Console
Spin up a cluster in minutes