Hey all! I’m trying to put a deny acl on all topic and except some specific topics, may I have a way to do it? I know that deny apply last so it will win.
Maybe you know some best practice way, thanks!
When you set <http://allow.everyone.if.no|allow.everyone.if.no>.acl.found to true, all the authorization requests are denied unless there’s an ACL match.
So, I think combining this with --resource-pattern-type prefixed may solve what you’re looking for?
You could add ALLOW rules only for the specific topics that you want to be accessed.
You could also add ACL DENY rules for the specific topics that you don’t want to be accessible however you may not need these depending upon the settings. Generally, I try to avoid DENY ACL rules as much as possible.
Thanks for you answer!
I’ll go for the use case and maybe it will help, we provide managed Kafka clusters to our organization. And we want to avoid the Kafka from crashes when the client spammed it (np pp clusters), we have like 200 clusters in a lot of different clients.
We thought to develop some read only mechanism and we want for example like when the broker achieve 95% disk usage, to deny all writing to the cluster (instead of our internal topics).
And for it we need an acl to deny all writing to topics but leave to us the internal ones
We try other options like quotas but it let to a 10% of messages pass (even big messages) to the kafka and not limit at all. ‘producer_byte_rate=1’
