Managing Apache Kafka® users

Written by

Yandex Cloud

Updated at November 18, 2024

Getting a list of users in a cluster
Creating a user
Changing user settings
Importing users to Terraform
Deleting a user

Users in Apache Kafka®:

Keep the access permissions of data producers and consumers separate.

A producer or consumer can only access topics that are allowed for their users. You can use the same user for multiple producers or consumers: the former get the rights to write data to certain topics and the latter get the read rights.
Manage topics. For more information, see Topics and partitions.

After creating an Apache Kafka® cluster, you can:

Getting a list of users in a cluster

Management console

CLI

API

In the management console, go to the relevant folder.
In the list of services, select Managed Service for Kafka.
Click the cluster name and go to the Users tab.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To get a list of users, run the following command:

yc managed-kafka user list --cluster-name <cluster_name>

To get detailed information for a specific user, run this command:

yc managed-kafka user get <username> --cluster-name <cluster_name>

To find out the cluster name, get a list of clusters in the folder.

To get a list of users, use the list REST API method for the User resource or the UserService/List gRPC API call and provide the ID of the cluster you need in the clusterId request parameter.

To find out the cluster ID, get a list of clusters in the folder.

Creating a user

Note

Use the CLI, API, or Terraform to create an admin user.

Management console

CLI

Terraform

API

To create a user for a producer or consumer in a cluster:

In the management console, go to the relevant folder.
In the list of services, select Managed Service for Kafka.
Click the cluster name and go to the Users tab.
Click Create user.
Enter your username and password.

Note

The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

The password must be from 8 to 128 characters long.
Grant access permissions for the relevant topics.
Click Create.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To create a user:

View a description of the CLI create user command:
```
yc managed-kafka user create --help
```

Create a user with the producer role for the producer or the consumer role for the consumer and grant access permissions for the relevant topics:

yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=<topic_name>,role=<user_role>

To create an admin user to manage cluster topics:

See the description of the create user CLI command:
```
yc managed-kafka user create --help
```

Create a user with the admin role valid for all (*) cluster topics:

yc managed-kafka user create <username> \
  --cluster-name <cluster_name> \
  --password <password> \
  --permission topic=*,role=admin

Note

The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

The password must be from 8 to 128 characters long.

To find out the cluster name, get a list of clusters in the folder.

Open the current Terraform configuration file with an infrastructure plan.

For more information about creating this file, see Creating clusters.
Add the yandex_mdb_kafka_user resource:
```
resource "yandex_mdb_kafka_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  password   = "<password>"
  ...
}
```
Note

The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

The password must be from 8 to 128 characters long.
Grant access permissions for the relevant topics.
Make sure the settings are correct.
1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
2. Run the command:
```
terraform validate
```
  If there are errors in the configuration files, Terraform will point to them.
Confirm updating the resources.
1. Run the command to view planned changes:
```
terraform plan
```
  If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
2. If you are happy with the planned changes, apply them:
  1. Run the command:
```
terraform apply
```
  2. Confirm the update of resources.
  3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

To create a user, use the create REST API method for the User resource or the UserService/Create gRPC API call and provide the following in the request:

Cluster ID in the clusterId parameter. To find out the cluster ID, get a list of clusters in the folder.
User settings in the userSpec parameter:
- Username in the name parameter.
- User password in the password parameter.
- Topic access permissions (one or more permissions parameters, one for each topic):
  - Topic name in the topicName parameter. To find out the name, get a list of cluster topics.
  - Topic access permissions in the role parameter: ACCESS_ROLE_PRODUCER for the producer or ACCESS_ROLE_CONSUMER for the consumer.

To create an admin user to manage cluster topics, provide the following values under permission in the userSpec parameter when creating the user:

topicName: *.
role: ACCESS_ROLE_ADMIN.

Note

The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter or underscore.

The password must be from 8 to 128 characters long.

Changing user settings

Management console

CLI

Terraform

API

In the management console, go to the relevant folder.
In the list of services, select Managed Service for Kafka.
Click the cluster name and go to the Users tab.
Click for the appropriate user and select:
- Change password to enter another password for the user.
- Configure to grant or revoke topic access permissions.
Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Using the CLI, you can change a user's password, grant or revoke topic access permissions.

Open the current Terraform configuration file with an infrastructure plan.

For more information about creating this file, see Creating clusters.
In this file, locate the yandex_mdb_kafka_user resource for the user and make the changes.

Using Terraform, you can change a user's password, grant or revoke topic access permissions.

To update user settings, use the update REST API method for the User resource or the UserService/Update gRPC API call and provide the following in the request:

Cluster ID in the clusterId parameter. To find out the cluster ID, get a list of clusters in the folder.
Username in the userName parameter. To find out the name, get a list of users in the cluster.
A list of settings to update (single line, comma-separated) in the updateMask parameter. If you skip this parameter, the API method will reset any user settings that are not explicitly specified in the request to their default values.
New set of permissions to topics (one or more permissions parameters, one for each topic).

Warning

The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

You can also use the update method to change a user's password, and the grantPermission and revokePermission methods to grant or revoke topic access permissions.

Changing a user password

Management console

CLI

Terraform

API

In the management console, go to the relevant folder.
In the list of services, select Managed Service for Kafka.
Click the cluster name and go to the Users tab.
Click for the appropriate user and select Change password.
Set a new password and click Edit.

Note

The password must be between 8 and 128 characters.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To change the user password, run this command:

yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --password <new_password>

Note

The password must be between 8 and 128 characters.

To find out the cluster name, get a list of clusters in the folder.

Open the current Terraform configuration file with an infrastructure plan.

For more information about creating this file, see Creating clusters.
Locate the user's yandex_mdb_kafka_user resource in the file.
Change the value of the password field:
```
resource "yandex_mdb_kafka_user" "<username>" {
  ...
  password = "<password>"
  ...
}
```
Note

The password must be between 8 and 128 characters.
Make sure the settings are correct.
1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
2. Run the command:
```
terraform validate
```
  If there are errors in the configuration files, Terraform will point to them.
Confirm updating the resources.
1. Run the command to view planned changes:
```
terraform plan
```
  If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
2. If you are happy with the planned changes, apply them:
  1. Run the command:
```
terraform apply
```
  2. Confirm the update of resources.
  3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

To update a user's password, use the update REST API method for the User resource or the UserService/Update gRPC API call and provide the following in the request:

Cluster ID in the clusterId parameter. To find out the cluster ID, get a list of clusters in the folder.
Username in the userName parameter. To find out the name, get a list of users in the cluster.
New user password in the password parameter.
Name of the password setting in the updateMask parameter.

Note

The password must be between 8 and 128 characters.

Warning

Granting user permissions

Note

Permissions granted to the user for a topic remain even after the topic is deleted. If, after deleting a topic, you don't revoke the permissions, then, when you create a topic with the same name, the user will have access to it even if you don't explicitly assign them new permissions.

Management console

CLI

Terraform

API

In the management console, go to the relevant folder.
In the list of services, select Managed Service for Kafka.
Select the cluster.
Go to the Users tab.
Click for the user you need to issue topic permissions to and select Configure.
Click Add topic. If there is no such button, it means that the user got permissions for all existing cluster topics.

If the user does not need permissions to certain topics, you can revoke them.
Select the appropriate topic from the drop-down list or enter its name:
1. Specify the following in the Topic field:
  - * to allow access to any topics.
  - Full topic name to allow access to a specific topic.
  - <prefix>* to grant access to topics whose names start with the specified prefix. Let's assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted for topic_a1 and topic_a2.
2. Click Add topic.
Click the icon in the Roles column for the topic you need and select a role:
- ACCESS_ROLE_CONSUMER: Access to the topic will be allowed to consumers logged in as this user.
- ACCESS_ROLE_PRODUCER: Access to the topic will be allowed to producers logged in as this user.
- ACCESS_ROLE_ADMIN: Only available if access to all topics is selected.
You can select the ACCESS_ROLE_CONSUMER and ACCESS_ROLE_PRODUCER roles at the same time to make the user suitable for both producers and consumers.

The user also gains access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.
To grant permissions to other topics, repeat the steps.
(Optional) If you granted permissions for a topic accidentally, revoke them.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To grant user permissions:

Retrieve a list of cluster topics:

yc managed-kafka topic list --cluster-name <cluster_name>

Grant access permissions for required topics by providing the --permission parameters:
```
yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --permission topic=<topic_name>,role=<user_role>
```
The following --permission parameters are available:
- topic: Name of the topic to issue permissions for.
  
  If the user does not need permissions to certain topics, you can revoke them.
- role: User’s role, producer, consumer, or admin.
  
  The admin role is only available if all topics are selected topic=*).
When you update user permissions, existing permissions get revoked and replaced with new ones. This means the command must always include a complete list of permissions to be assigned to the user.

For example, to grant permissions to a user named test-user in the kafka-cli cluster for the topic2 topic with the producer role, while keeping the existing topic1 permissions, run this command:
```
yc managed-kafka user update test-user \
  --cluster-name kafka-cli \
  --permission topic=topic1,role=consumer \
  --permission topic=topic2,role=producer
```
Along with access to the topic, users also gain access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.

To find out the cluster name, get a list of clusters in the folder.

Open the current Terraform configuration file with an infrastructure plan.

For more information about creating this file, see Creating clusters.
Locate the user's yandex_mdb_kafka_cluster resource in the file.
Add the permission section:
```
resource "yandex_mdb_kafka_user" "<username>" {
  ...
  permission {
    topic_name = "<topic>"
    role       = "<user's_role>"
  }
}
```
Where:
- topic_name: Topic name. Specify the following:
  - * to allow access to any topics.
  - Full topic name to allow access to a specific topic.
  - <prefix>* to grant access to topics whose names start with the specified prefix. Let's assume you have topics named topic_a1, topic_a2, and a3. If you specify topic*, access will be granted for topic_a1 and topic_a2.
- role: User’s role, ACCESS_ROLE_CONSUMER, ACCESS_ROLE_PRODUCER, or ACCESS_ROLE_ADMIN. The ACCESS_ROLE_ADMIN role is only available if all topics are selected (topic_name = "*").
Along with access to the topic, users also gain access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.

If the user does not need permissions to certain topics, you can revoke them.
Make sure the settings are correct.
1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
2. Run the command:
```
terraform validate
```
  If there are errors in the configuration files, Terraform will point to them.
Confirm updating the resources.
1. Run the command to view planned changes:
```
terraform plan
```
  If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
2. If you are happy with the planned changes, apply them:
  1. Run the command:
```
terraform apply
```
  2. Confirm the update of resources.
  3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

To grant user permissions, use the grantPermission REST API method for the User resource or the UserService/GrantPermission gRPC API call and provide the following in the request:

Cluster ID in the clusterId parameter. To find out the cluster ID, get a list of clusters in the folder.
Username in the userName parameter. To find out the name, get a list of users in the cluster.
New permission for the topic in the permission parameter.

Along with access to the topic, users also gain access to data schema subjects. The availability of subjects depends on the specified roles and topics. For more information, see Managed Schema Registry subjects.

Revoking user permissions

If you revoke the ACCESS_ROLE_ADMIN role from the admin user in a cluster, you will no longer be able to manage topics. Do not revoke this role without first granting it to another user.

Management console

CLI

Terraform

API

In the management console, go to the relevant folder.
In the list of services, select Managed Service for Kafka.
Select the cluster.
Go to the Users tab.
Click for the appropriate user and select Configure.
Find the appropriate topic in the list of topics.
Delete the role you no longer need: click the icon next to its name. To revoke all permissions for a topic, delete it from the list: hover over the topic name and click at the end of the line.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To revoke access permissions for specific topics, provide an updated list of --permission parameters:

yc managed-kafka user update <username> \
  --cluster-name <cluster_name> \
  --permission topic=<topic_name>,role=<user's_role>

When you update user permissions, existing permissions get revoked and replaced with new ones. This means the command must always include a complete list of permissions to be assigned to the user.

The --permission flag must include at least one topic-role pair, where:

topic: Topic name.
role: User’s role, producer, consumer, or admin.

To find out the cluster name, get a list of clusters in the folder.

To revoke all the permissions granted to the user, use the console or delete the user.

Open the current Terraform configuration file with an infrastructure plan.

For more information about creating this file, see Creating clusters.
Locate the user's yandex_mdb_kafka_user resource in the file.
Edit or delete the permission section.
Make sure the settings are correct.
1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
2. Run the command:
```
terraform validate
```
  If there are errors in the configuration files, Terraform will point to them.
Confirm updating the resources.
1. Run the command to view planned changes:
```
terraform plan
```
  If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
2. If you are happy with the planned changes, apply them:
  1. Run the command:
```
terraform apply
```
  2. Confirm the update of resources.
  3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

To revoke user permissions, use the revokePermission REST API method for the User resource or the UserService/RevokePermission gRPC API call and provide the following in the request:

Cluster ID in the clusterId parameter. To find out the cluster ID, get a list of clusters in the folder.
Username in the userName parameter. To find out the name, get a list of users in the cluster.
The topic permission to be revoked in the permission parameter.

Importing users to Terraform

Using import, you can bring the existing cluster users under Terraform management.

Terraform

In the Terraform configuration file, specify the user you want to import:
```
resource "yandex_mdb_kafka_user" "<username>" {}
```
Run the following command to import the user:
```
terraform import yandex_mdb_kafka_user.<username> <cluster_ID>:<username>
```
To learn more about importing users, see the Terraform provider documentation.

Deleting a user

If you delete the admin user with the ACCESS_ROLE_ADMIN role in a cluster, you will no longer be able to manage topics. To avoid this, assign this role to another user before deleting the admin user.

Management console

CLI

Terraform

API

In the management console, go to the relevant folder.
In the list of services, select Managed Service for Kafka.
Click the cluster name and go to the Users tab.
Click for the appropriate user and select Delete.
In the window that opens, click Delete.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To remove a user, run:

yc managed-kafka user delete <username> --cluster-name <cluster_name>

To find out the cluster name, get a list of clusters in the folder.

Open the current Terraform configuration file with an infrastructure plan.

For more information about creating this file, see Creating clusters.
Delete the user's yandex_mdb_kafka_user resource.
Make sure the settings are correct.
1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
2. Run the command:
```
terraform validate
```
  If there are errors in the configuration files, Terraform will point to them.
Confirm updating the resources.
1. Run the command to view planned changes:
```
terraform plan
```
  If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
2. If you are happy with the planned changes, apply them:
  1. Run the command:
```
terraform apply
```
  2. Confirm the update of resources.
  3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Time limits

The Terraform provider limits the amount of time for all Managed Service for Apache Kafka® cluster operations to complete to 60 minutes.

Operations exceeding the set timeout are interrupted.

How do I change these limits?

Add the timeouts block to the cluster description, for example:

resource "yandex_mdb_kafka_cluster" "<cluster_name>" {
  ...
  timeouts {
    create = "1h30m" # 1 hour 30 minutes
    update = "2h"    # 2 hours
    delete = "30m"   # 30 minutes
  }
}

To delete a user, use the delete REST API method for the User resource or the UserService/Delete gRPC API call and provide the following in the request:

Cluster ID in the clusterId parameter. To find out the cluster ID, get a list of clusters in the folder.
Name of the user to delete in the userName parameter. To find out the name, get a list of users in the cluster.

Managing Apache Kafka® users

Getting a list of users in a clusterGetting a list of users in a cluster

Creating a userCreating a user

Changing user settingsChanging user settings

Changing a user passwordChanging a user password

Granting user permissionsGranting user permissions

Revoking user permissionsRevoking user permissions

Importing users to TerraformImporting users to Terraform

Deleting a userDeleting a user

Was the article helpful?

Getting a list of users in a cluster

Creating a user

Changing user settings

Changing a user password

Granting user permissions

Revoking user permissions

Importing users to Terraform

Deleting a user