KSQL Authorization
Describes authorization for Kafka KSQL.
In secure clusters, authorization is enabled by default. In insecure clusters, authorization is disabled by default.
/opt/mapr/ksql/ksql-<version>/etc/ksql/ksql-server.properties
file
through the following option:authorization.enable=[true|false]
Permissions
Permissions grant or deny access to users that run commands and maintain background processes that interact with KSQL internal data and structure information, such as persistent queries, tables, streams, and server configuration. Read permission grants users and groups access to FETCH, SHOW, and DESCRIBE . Modify permission grants users and groups access to ADD, UPDATE, and REMOVE.
Each user or group in a cluster can have no permissions, read permission, modify permission, or both read and modify permission to the KSQL service. By default all data-fabric cluster users have both read and modify permissions.
Internally, the authorization filter is based on consumeperms and
produceperms for the KSQL Kafka store internal stream
(/apps/ksql/<service.id>/ksql-commands:ksql-authorization-auxiliary-topic
).
Consumeperms correspond to the KSQL service read permissions.
Produceperms correspond to the KSQL service modify permissions. These
permissions can be changed by modifying the ACE of produceperms and
consumeperms for
/apps/ksql/<service.id>/ksql-commands:ksql-authorization-auxiliary-topic
.
The following sections describe KSQL statements that require read and modify access.
Statements that Require Read Access
- DESCRIBE [EXTENDED] ...
- List the columns in a stream or table along with its attributes and information.
- DESCRIBE FUNCTION ...
- Provides a description of a function including an input parameters and the return type.
- EXPLAIN ...
- Show the execution plan for a SQL expression or, given the ID of a running query, show the execution plan plus additional runtime information and metrics.
- PRINT ...
- Print the contents of Kafka topics to the KSQL CLI.
- SELECT ...
- Selects rows from a KSQL stream or table.
- SHOW ...
- List functions, streams, tables, queries, properties.
- SHOW TOPICS <MAPR_STREAM>
- List topics.
Statements that Require Modify Access
- CREATE STREAM|TABLE … WITH (...)
- Create a new stream or table with the specified columns and properties.
- CREATE STREAM|TABLE ... [WITH (...)] AS SELECT ...
- Create a new stream or table and continuously write the result of the SELECT query into the stream.
- INSERT INTO ... SELECT ...
- Stream the result of the SELECT query into an existing stream and its underlying topic.
- INSERT INTO ... VALUES ...
- Produce a row into an existing stream or table and its underlying topic based on explicitly specified values.
- DROP STREAM|TABLE [IF EXISTS] ...
- Drops an existing stream or table.
- DROP STREAM|TABLE [IF EXISTS] ... DELETE TOPIC
- Drops an existing stream or table and deletes the underlying topic.
- TERMINATE ...
- Terminate a persistent query.