I am part of the Lasair team, building a Community Broker. We want to allow anyone to consume (read) our Kafka streams, but not to produce (write). I have looked at the Access Control List infrastructure, which allows wildcards in the user specification, but at the same time it seems to assume that a principal is being defined by SASL/Kerberos or TLS/SSL, and I don’t want to require that consumers have any kind of identity.
Hi @roy, to the best of my knowledge Kafka requires use of user identity as part of its authorization mechanics–so I’m not aware of a simple way to implement what you describe.
Presumably you could publish the username and password for a shared read-only account that would be used by all consumers.
I was wondering if there was a way to have multiple Kafka listeners, and attach read-only access to the un-authenticated listeners — unfortunate I don’t think that solution exists. I agree with @ktl’s suggestion of a shared account.
The other concern I can think of for anonymous access is consumer groups. You’d want to make sure that independent consumers don’t accidentally use the same consumer group (e.g. by copying docs) and clobber each other’s offsets or partition assignments.