This article primarily focuses on how to setup users for your Redpanda cluster without going into to much detail. For more information on the rpk commands, please take a look at our rpk security documentation.
Important: As of Redpanda v24.1+ therpk acl
command has changed torpk security acl
. If you are using a version prior to 24, then you can omit thesecurity
part of the commands below.
Let's first quickly review some common terms we will run into:
Terminology |
Definition |
principal | The user |
host | Where the principal is allowed or denied to make requests from |
resource | What is the principal allowed to access (topic, group) |
operation | What action(s) can the principal perform (write, read, etc..) |
permissions | Are they allowed to perform that "operation" |
If you already have SASL enabled, you can skip to the "Principals" section as it means you most likely already have a superuser configured. If that is the case, then you will most likely need to pass the -X user and -X password flags to create additional principals (unless you have your username and password setup for your rpk commands in your redpanda.yaml configuration file).
Designate Superusers
Before even enabling SASL, you will want to create a superuser which has unrestricted access. Otherwise, when you enable ACL, you will no longer have access to your cluster.
rpk cluster config set superusers "['admin']"
Add Principals
Next, let's setup a password for our superuser.
rpk security user create admin -p <plain text password>
We can also create some additional users as well.
rpk security user create <username> -p <plain text password>
Enable SASL
Once you enable SASL, you will no longer be able to run any commands without passing in the credentials for the superuser you created. You might also need to update configuration as well to access console, which is out of scope of this article, but the following documentation goes through it in more details. Console Configuration.
Enable SASL:
rpk cluster config set enable_sasl true
Enable auth for Admin API. Note, this command requires the username and password for a superuser
rpk cluster config set admin_api_require_auth true -X user=<username> -X pass=<password>
Assigning Permissions
In the examples below, we will be assuming that we have a Topic called "logs" and we have two users, one called "producer", which produces the logs and one called "consumer", which consumes the logs.
For more details on different permissions, please review our rpk security documentation.
Producer permissions:
rpk security acl create --allow-principal User:producer --operation write,describe --topic logs
Consumer permissions
rpk security acl create --allow-principal User:consumer --operation read,describe --topic logs
Details