Enable the AclAuthorizer by setting authorizer.class.name=kafka.security.authorizer.AclAuthorizer in server.properties and restart brokers
Grant a producer principal WRITE and DESCRIBE on the target topic: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:producer-svc --operation Write --operation Describe --topic my-topic
Grant a consumer principal READ on the topic and DESCRIBE on its consumer group: kafka-acls.sh --add --allow-principal User:consumer-svc --operation Read --topic my-topic and --operation Describe --group my-group
Add an explicit DENY to block a specific user from a host: kafka-acls.sh --add --deny-principal User:badactor --deny-host 198.51.100.3 --operation Read --topic my-topic
List current ACLs to verify: kafka-acls.sh --list --topic my-topic
Remove an ACL by replacing --add with --remove and supplying the same principal/operation/resource flags
Known gotchas
DENY ACLs take precedence over ALLOW ACLs; an explicit deny for User:* will block everyone including super.users unless those users are listed in super.users broker config
Wildcard principal User:* grants access to all users including unauthenticated ones if allow.everyone.if.no.acl.found=true; keep that property false in production
ACL changes are propagated via ZooKeeper or the KRaft metadata log; there can be a short propagation delay before all brokers enforce the new rule
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp