docs(acls): describes handling of special users #11118
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: prmellor <pmellor@redhat.com>
scholzj
reviewed
Feb 7, 2025
Comment on lines
-45
to
-50
| == Super user access to Kafka brokers | ||
|
|
||
| If a user is added to a list of super users in a Kafka broker configuration, | ||
| the user is allowed unlimited access to the cluster regardless of any authorization constraints defined in ACLs in `KafkaUser`. | ||
|
|
||
| For more information on configuring super user access to brokers, see xref:con-securing-kafka-authorization-{context}[Kafka authorization]. |
There was a problem hiding this comment.
Do we have this covered somewhere else?
|
|
||
| The User Operator manages ACLs for standard Kafka users but cannot define rules for special usernames such as `User:ANONYMOUS` or `User:*`. | ||
| These users are ignored because their names are not valid Kubernetes resource names. | ||
| If ACL rules with special usernames are present in a `KafkaUser` resource, the User Operator logs a message for information but does not apply them. |
There was a problem hiding this comment.
These users cannot have any KafkaUser resources. So this is not valid. The part about logging should be part of the next sentence.
Suggested change
| If ACL rules with special usernames are present in a `KafkaUser` resource, the User Operator logs a message for information but does not apply them. |
| These users are ignored because their names are not valid Kubernetes resource names. | ||
| If ACL rules with special usernames are present in a `KafkaUser` resource, the User Operator logs a message for information but does not apply them. | ||
| You can manually configure ACL rules for these usernames using tools like `kafka-acls.sh`. | ||
| These manual configurations are not deleted by the User Operator. |
There was a problem hiding this comment.
Suggested change
| These manual configurations are not deleted by the User Operator. | |
| When these manual configurations are present in Kafka, the User Operator logs a message for information but does not delete them. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Documentation
Describes handling of special users by User Operator.
Extracts Defining ACLs concepts into higher-level section within client authorization content to make the content easier to find.
Checklist
Please go through this checklist and make sure all applicable tasks have been done