Skip to content
Klag Klag

ACL Permissions

Klag requires read-only access. It uses only the Kafka Admin Client API with DESCRIBE permissions. No write or alter access is ever needed.

Required permissions

Section titled “Required permissions”

| Resource | Name | Permission | Operations | |---|---|---|---| | CLUSTER | kafka-cluster | DESCRIBE | Health check, list consumer groups. | | TOPIC | * or prefixed | DESCRIBE | Get partition info and offsets. | | GROUP | * or prefixed | DESCRIBE | Get group state and committed offsets. |

Self-managed Kafka

Section titled “Self-managed Kafka”
Terminal window
# Cluster permissions (required)
kafka-acls --bootstrap-server <broker> \
  --add --allow-principal User:<klag-user> \
  --operation Describe --cluster


# All topics
kafka-acls --bootstrap-server <broker> \
  --add --allow-principal User:<klag-user> \
  --operation Describe --topic '*'


# All consumer groups
kafka-acls --bootstrap-server <broker> \
  --add --allow-principal User:<klag-user> \
  --operation Describe --group '*'

Confluent Cloud

Section titled “Confluent Cloud”

Create a service account with the following ACLs using the Confluent CLI.

Terminal window
CLUSTER_ID=<your-cluster-id>
SERVICE_ACCOUNT=<service-account-id>


# Cluster permissions
confluent kafka acl create --allow --service-account $SERVICE_ACCOUNT \
  --operations describe --cluster-scope


# All topics
confluent kafka acl create --allow --service-account $SERVICE_ACCOUNT \
  --operations describe --topic '*'


# All consumer groups
confluent kafka acl create --allow --service-account $SERVICE_ACCOUNT \
  --operations describe --consumer-group '*'