My question: If MSK doesn't allow you to specify Super Users, is there a fault tolerant way to create ACLs to "mimic" a super user like the one specified in: https://repost.aws/questions/QUPLKdkgDPQ_uH8LaLhB8bew/how-to-create-a-super-user-on-msk
It seems fraught with accidental peril. If you start giving a SASL user access to cluster operations one at a time, you'll accidentally lock the Cluster's ACLs entirely.
kafka-acls.sh --bootstrap-server [broker hosts] --add --add-principal="User:my_super_user" --cluster --operation Describe
Oops! You'll violate the allow.everyone.if.no.acl.found
rule. An ACL for the cluster will be found. It'll just only have the one operation. And since the super.users
configuration property isn't supported. You're hosed. No matter how many SASL/SCRAM users you make, you've lost any ability to set or change any more ACLs...
This happened to me, because I wasn't sure if I specified ALL
for the operation, I would suddenly run into trouble with blocking brokers (as that linked question answer indicates).
Is the only solution, in this case, to enable IAM, create an IAM policy that allows you to "do anything", update the ACLs, deactivate IAM?
R.I.P super users property if using SASL/SCRAM
Thanks Benita, do you know if granting
ALL
actions (including then, theCLUSTER ACTIONS
) has the affect of potentially "blocking brokers" as that linked question I mentioned seems to indicate? Or is that statement no longer true?I agree that granting
ALL
operations works... as long as the ACLs don't change for that User... However, that was part of my question. I'm asking how one could recover a cluster if the zookeeper ACLs on the cluster locked out all SASL users (since "super users" can't be defined in MSK)?1/ I don't see a reason why adding ACLs on cluster actions will cause brokers to be blocked.
2/ Using the zookeeper string to grant principals access will allow you to recover a cluster. Using zookeeper string does not require you to call the APIs as a SASL user. All you need is network access to the zookeeper endpoint.