Apache Kafka User Management

Instaclustr provides both a User Management UI and User Management API for Kafka clusters to help you with managing users. The User Management UI and API provide four functions:

List Users
Add Users
Change User Passwords
Delete Users

All Kafka users created or listed in the Users list will have read and write access to all topics in the cluster. There are details below on how to change this in Kafka ACL Management. If you require any other configuration, please submit a support request.

All Kafka clusters will have an ickafka user automatically created as a convenience, which can be deleted. If the ickafka user is deleted or has the password changed the new password will not be stored and the credentials will disappear from the cluster’s Connection Info page. Because changed passwords and new user passwords will not be stored, ensure you make a note of the passwords to user accounts.

For Kafka Schema Registry and Kafka Rest Proxy services, the user password can be updated from the dashboard Kafka user management UI. We do not support user deletion or creation for these services. Make sure you take into account that the services will be restarted when actioning a password change.

User management is not available for Kafka clusters with KRaft mode enabled whilst KRaft is a Public Preview release. This is because SCRAM encryption is not currently supported for KRaft by the Kafka project. If you require any user management on a Kafka cluster with KRaft mode, please submit a support request.

User Management UI

These examples show how to use the features of the Instaclustr console’s User Management UI.

List Users

To list available Kafka users, navigate to the Users tab of your Kafka cluster.
The Users page will list all Kafka users on the cluster. If you have enabled Kafka Schema Registry and/or Kafka Rest Proxy, you will be able to see the default users for those services by clicking on the relevant tabs at the top of the page.

Add User

To add a new Kafka user, first, navigate to the Users page of your Kafka cluster. From the Users page, click the Add New User button. You will be redirected to the form for adding a new user.
Enter the desired username and password for the new Kafka user, the desired level of initial permissions, and a user authentication mechanism. The initial permissions setting can be one of three things:
1. Standard – The new user will be able to read and write to all topics
2. Read-only – The new user will be able to read from all topics, but not write
3. None – The new user will have no initial permissions
Once you’ve entered the required information, click the Add User button. This will create the new user and redirect you to the Users page, where the new user will be shown in the list of users.

Change User Password

To change the password of an existing Kafka user, first, navigate to the Users page of your Kafka cluster. From the Users page, click the Change Password button of the user whose password you want to change. You will be redirected to the form for changing your password.
Enter a new password for the user and a user authentication mechanism. Once you’ve entered the required information, click the Change Password button.

Delete User

To delete an existing Kafka user, first, navigate to the Users page of your Kafka cluster. From the Users page, click the Delete button for the user that you want to delete.
Click on the Delete User button to confirm the deletion of the user.

User Management API

These examples show how to use the features of the Instaclustr User Management API.

Please note that we currently do not support Kafka schema registry and Kafka rest proxy with add user and delete user functions.

To provide customers with a high level of security, the Kafka User API endpoint will not store or allow customers to retrieve passwords for Kafka users.
For each endpoint listed below, all requests must include basic authentication details:

Username: <your Instaclustr account username> 
Password: <your Instaclustr provisioning API key>

1 2	Username: <your Instaclustr account username> Password: <your Instaclustr provisioning API key>

List Users

To retrieve a list of users currently enabled in the Kafka cluster, make a GET request to:
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users
1
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users
The API should respond with a 200 status code and a JSON list of users. E.g.:
[ "ickafka" ]
1
2
3
[
"ickafka"
]
To list the users of Kafka rest proxy or Kafka schema registry, use the bundle name as kafka_rest_proxy or kafka_schema_registry respectively in the GET request. E.g.:
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_schema_registry/users https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_rest_proxy/users
1
2
3
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_schema_registry/users

https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_rest_proxy/users

Add User

To add a new user to the Kafka cluster (with read/write access to all topics), make a POST request to:
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users
1
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users

A request body should be included, specifying the username and password, and initial permissions to use. E.g.:
{ "username": "test1", "password": "Test1Test1", "initial-permissions": "standard" }
1
2
3
4
5
{
  "username": "test1",
  "password": "Test1Test1",
  "initial-permissions": "standard"
}
Valid values for “initial-permissions” are : “standard”, “read-only”, “none”.
The API should respond with a 201 status code and a short message. E.g.
{ "message": "User test1 created." }
1
2
3
{
"message": "User test1 created."
}
Once this message is received, the user should be immediately available for use when connecting to the Kafka cluster.

Change User Password

To change an existing user’s password, make a POST request to:
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users/reset-password
1
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users/reset-password

A request body should be included, specifying the username and password to apply. E.g.:

{
  "username": "test1",
  "password": "Test2Test2"
}
1
2
3
4
{
  "username": "test1",
  "password": "Test2Test2"
}

2. The API should respond with a 200 status code and a short message. E.g.:

{
  "message": "Updated password for user test1."
}
1
2
3
{
  "message": "Updated password for user test1."
}

3. To change the user passwords of Kafka rest proxy or Kafka schema registry, use the bundle name as kafka_rest_proxy or kafka_schema_registry respectively in the POST request. E.g.:

https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_rest_proxy/users/reset-password

https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_schema_registry/users/reset-password

1

2

3

https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_rest_proxy/users/reset-password

https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka_schema_registry/users/reset-password

Delete User

To delete a Kafka user, make a DELETE request to:
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users
1
https://api.instaclustr.com/provisioning/v1/<cluster_id>/kafka/users

A request body should be included, specifying the username and password to use. E.g.:
{ "username": "test1" }
1
2
3
{
"username": "test1"
}
2. The API should respond with a 200 status code and a short message. E.g.
{ "message": "User test1 has been deleted." }
1
2
3
{
"message": "User test1 has been deleted."
}

By Instaclustr Support

Previous Article Kafka Topic Management Next Article Kafka ACL Management

Need Support?

Learn More

Experiencing difficulties on the website or console?

Status page for known incidents

Already have an account?

Log In to the Console

Need help with your cluster?

Contact Support

Why sign up?

To experience the ease of creating and managing clusters via the Instaclustr Console