We are currently running an unsecured Kafka setup on AWS MSK (so I don't have access to most config files directly and need to use the kafka-cli) and are looking into ways to add protection. Setting up TLS & SASL is easy, though as our Kafka cluster is behind a VPN and already has restricted access does not add more security.
We want to start with the most important and in our opinion quick win security addition. Protect topics from being deleted (and created) by all users.
We currently have allow.everyone.if.no.acl.found set to true.
All I find on Google or Stack Overflow shows me how I can restrict users from reading/writing to other topics than they have access to. Though Ideally that is not what we want to implement as a first step.
I have found things about a root-user (Is an admin user, though was called root in all tutorials I read). Though the examples I have found don't show examples of adding an ACL to this root user to make it the only one accessible, the topic deletion/creation.
Can you please explain how to create a user that, and block all other users?
By the way, we also don't use zookeeper, even though an MSK-cluster ads this per default. And hope we can do this without adding zookeeper actively to our stack. The answer given here hardly relies on zookeeper. Also, this answer points to the topic read/write examples only, even though the question was the same as I am asking
I'd like to start with a disclaimer that I'm personally not familiar with AWS MSK offering in great detail so this answer is largely based on my understanding of the open source distribution of Apache Kafka.
First - The Kafka ACLs are actually stored in Zookeeper by default so if you're not using Zookeeper, it might be worth adding this if you're not using it.
Reference - Kafka Definitive Guide - 2nd edition - Chapter 11 - Securing Kafka - Page 294
Second - If you're using SASL for authentication through any of the supported mechanisms such as GSSAPI (Kerberos), then you'll need to create a principal as you would normally create one and use one of the following options:
Add the required permissions for topic creation/deletion etc. using the kafka-acls command (Command Reference)
bin/kafka-acls.sh --add --cluster --operation Create --authorizer-properties zookeeper.connect=localhost:2181 --allow-principal User:admin
Note - admin is the assumed principal name
Or add admin user to the super users list in server.properties file by adding the following line so it has unrestricted access on all resources
super.users=User:Admin
Any more users can be added in the same line delimited by ;.
To add the strictness, you'll need to set allow.everyone.if.no.acl.found to false so any access to any resources is only granted by explicitly adding these permissions.
Third - As you've asked specifically about your root user, I'm assuming you're referring to the linux root here. You could just restrict the linux level permissions using chmod command for the kafka-acls.sh script but that is quite a crude way of achieving what you need. I'm also not entirely sure if this is doable in MSK or not.