Kafka Administrator

Client Access

Before a client can access Kafka, their user principal must be granted access by an administrator.

Grant User Access

To grant a user access to Kafka, a user with admin privileges issues a PUT request to /api/v1/kafka/users/{user} where {user} is the user’s principal ID (in Keycloak).

A user can get their principal from the auth test API.
Diagram

This creates a KafkaUser CRD, along with an associated Secret containing the user’s credentials.

Users can download their credentials, along with everything else they need (SSL certificate, host URL, etc.), from the client credentials API endpoint.

Anyone accessing Kafka must have a KafkaUser CRD instance.
Request
curl -X 'PUT' \
  'http://localhost/api/v1/kafka/users/21feb230-3ac4-471c-b90d-6d145a8b3f6e' \ (1)
  -H 'accept: application/json' \
  -H 'Authorization: Basic YWRtaW46eUNITHBDaG12dDRuTVUwNWpaZTZBbGl0' (2)
1 The user principal to grant access to Kafka.
2 Credentials for an admin user (can use Basic username/password or Bearer token).

If successful, you will get a response that echos back a confirmation of the user’s principal that was granted.

Response
{
  "name": "21feb230-3ac4-471c-b90d-6d145a8b3f6e"
}

List Authorized Users

Admins can get a list of currently authorized users with a GET to /api/v1/kafka/users.

Request
curl -X 'GET' \
  'http://localhost/api/v1/kafka/users' \
  -H 'accept: application/json' \
  -H 'Authorization: Basic YWRtaW46eUNITHBDaG12dDRuTVUwNWpaZTZBbGl0'
Response
[
  {
    "name": "21feb230-3ac4-471c-b90d-6d145a8b3f6e"
  },
  {
    "name": "972f1aff-9c94-4e73-92be-f45a9156c83e"
  },
  {
    "name": "2204a4ec-9137-4d3d-a61a-b24409a9cd20"
  }
]

Revoke User Access

To revoke a user’s access to Kafka, an admin issues a DELETE request to {url-base/users/{user} where {user} is the user’s principal ID (in Keycloak).

A user can get their principal from the auth test API.
Request
curl -X 'DELETE' \
  'http://localhost/api/v1/kafka/users/21feb230-3ac4-471c-b90d-6d145a8b3f6e' \ (1)
  -H 'accept: application/json' \
  -H 'Authorization: Basic YWRtaW46eUNITHBDaG12dDRuTVUwNWpaZTZBbGl0' (2)
1 The user principal to revoke access to Kafka.
2 Credentials for an admin user (can use Basic username/password or Bearer token).

If successful, you will get a response that echos back a confirmation of the user’s principal that was revoked.

Response
{
  "name": "21feb230-3ac4-471c-b90d-6d145a8b3f6e"
}