Creating a credential for Event Endpoint Management

IBM Event Endpoint Management requires Read access to the Kafka topics you want to socialize, and no higher level of access is recommended.

Authorization to Kafka resources are managed by Kafka Access Control lists (ACLs). See IBM Developer for an introduction to Kafka ACLs.

The following sections guide you through the creation of a credential which grants Read level of access in the following Kafka distributions, and also include information about providing the generated credential to your API:

IBM Event Streams

IBM Event Streams provides a simple wizard to create credentials with defined Kafka ACLs. As IBM Event Streams incorporates Strimzi, these Kafka ACLs are represented as a KafkaUser. A KafkaUser is a Kubernetes custom resource managed by Event streams. When configured, the KafkaUser creates ACLs in the Kafka cluster managed by Event Streams, and generates a Kubernetes secret that contains the credential to use when connecting to your cluster.

Use the wizard as follows to create a credential with the required permissions for Event Endpoint Management.

Important: To create a credential with Event Streams for Event Endpoint Management, ensure you have at least one listener configured with scram-sha-512 authentication.

  1. Log in to the Event Streams UI.

  2. Click the Connect to this cluster tile, and click Generate SCRAM credentials next to the listener you want Event Endpoint Management to connect to. This will launch the wizard to create a credential.

    Generate SCRAM credential in the connect to this cluster slide out

  3. Define the name of the credential (for example, eem-weather-data), the permissions to grant it (consume only), and click Next.

    Credential name and permissions

  4. Specify the topic this credential allows access to and click Next. In this example, only the topic weather-data.

    Topic the credential applies to

  5. You can choose to restrict consumer group access. At this stage, allow all consumer groups to have access, and click Next.

    Consumer group access for the credential

  6. Complete the wizard flow by clicking Generate credentials as no transactional IDs are required.

    Completing the wizard

  7. After completing the wizard, a KafkaUser and a Kubernetes secret are generated, containing the credential for Event Endpoint Management. The generated username and password are presented on screen ready for you to use. Make a note of both of these values.

    Generated credential in Event Streams

  8. Provide the generated credentials when creating an API or editing an existing API, so that when the API is published, the Event Gateway Service can use the credentials to connect to your Kafka cluster.

Note: After creating an API in Event Endpoint Management, you can further restrict consumer group access so that only consumer groups associated with your Event Endpoint Management API can consume with this credential.

Strimzi

Strimzi provides a KafkaUser to manage access to Kafka resources. A KafkaUser is a custom resource, which creates ACLs in the Kafka cluster managed by Strimzi, and generates a Kubernetes secret that contains the credential to use when connecting to Kafka. In this case, the generated credential is for Event Endpoint Management to be able to access the Kafka cluster.

  1. Go to the OpenShift Container Platform UI, locate your Strimzi operator, and create a KafkaUser by clicking the Kafka User tab, and then clicking Create KafkaUser.

    Creating a Kafka User in OpenShift

  2. Configure a KafkaUser to use with Event Endpoint Management. Enter a Name that will become the username for this credential, in this example, eem-weather-data. This is the username you will provide to Event Endpoint Management when creating or editing your API.

    Note: The only supported Strimzi Authentication option compatible with Event Endpoint Management is scram-sha-512.

  3. Modify the ACLs associated with this KafkaUser by using the YAML view to edit the authorization.acl configuration.

    Initial ACLs

  4. As shown in the previous screen capture, the initial KafkaUser is populated with placeholder Kafka ACL configuration to create, describe, read, and write to the topic my-topic and consumer group my-group. Use the YAML editor to update the configuration to provide Read access to your topic, in this example, weather-data. Also, allow Read access to any consumer group, as shown in the following screen capture.

    Final ACLs

  5. Click Create to create the KafkaUser. When the KafkaUser is created and ready, the following is displayed.

    Created KafkaUser

  6. When the KafkaUser is created, a secret containing the required credentials is also generated. To view the secret, click the name of the KafkaUser, and then go to the Resources tab.

    Locating the created secret

  7. The name of the secret is the Username you provide to Event Endpoint Management. Make a note of the username. To retrieve the Password for the secret, click the secret, go to the Data section, and copy the password value.

    Locating the password

  8. Provide the generated credentials when creating an API or editing an existing API, so that when the API is published, the Event Gateway Service can use the credentials to connect to your Kafka cluster.

Note: After creating an API in Event Endpoint Management, you can further restrict consumer group access so that only consumer groups associated with your Event Endpoint Management API can consume with this credential.