KSQL Authorization

Describes authorization for Kafka KSQL.

In secure clusters, authorization is enabled by default. In insecure clusters, authorization is disabled by default.

You can enable or disable authorization for KSQL in the /opt/mapr/ksql/ksql-<version>/etc/ksql/ksql-server.properties file through the following option:

authorization.enable=[true|false]

Permissions

Permissions grant or deny access to users that run commands and maintain background processes that interact with KSQL internal data and structure information, such as persistent queries, tables, streams, and server configuration. Read permission grants users and groups access to FETCH, SHOW, and DESCRIBE . Modify permission grants users and groups access to ADD, UPDATE, and REMOVE.

Each user or group in a cluster can have no permissions, read permission, modify permission, or both read and modify permission to the KSQL service. By default all data-fabric cluster users have both read and modify permissions.

Internally, the authorization filter is based on consumeperms and produceperms for the KSQL Kafka store internal stream (/apps/ksql/<service.id>/ksql-commands:ksql-authorization-auxiliary-topic). Consumeperms correspond to the KSQL service read permissions. Produceperms correspond to the KSQL service modify permissions. These permissions can be changed by modifying the ACE of produceperms and consumeperms for /apps/ksql/<service.id>/ksql-commands:ksql-authorization-auxiliary-topic.

The following sections describe KSQL statements that require read and modify access.

Statements that Require Read Access

DESCRIBE [EXTENDED] ...: List the columns in a stream or table along with its attributes and information.
DESCRIBE FUNCTION ...: Provides a description of a function including an input parameters and the return type.
EXPLAIN ...: Show the execution plan for a SQL expression or, given the ID of a running query, show the execution plan plus additional runtime information and metrics.
PRINT ...: Print the contents of Kafka topics to the KSQL CLI.
SELECT ...: Selects rows from a KSQL stream or table.
SHOW ...: List functions, streams, tables, queries, properties.
SHOW TOPICS <MAPR_STREAM>: List topics.

Statements that Require Modify Access

CREATE STREAM|TABLE … WITH (...): Create a new stream or table with the specified columns and properties.
CREATE STREAM|TABLE ... [WITH (...)] AS SELECT ...: Create a new stream or table and continuously write the result of the SELECT query into the stream.
INSERT INTO ... SELECT ...: Stream the result of the SELECT query into an existing stream and its underlying topic.
INSERT INTO ... VALUES ...: Produce a row into an existing stream or table and its underlying topic based on explicitly specified values.
DROP STREAM|TABLE [IF EXISTS] ...: Drops an existing stream or table.
DROP STREAM|TABLE [IF EXISTS] ... DELETE TOPIC: Drops an existing stream or table and deletes the underlying topic.
TERMINATE ...: Terminate a persistent query.