UI for Kafka which uses SASL accounts (Part 1)

As we all know Kafka is a fantastic tool, which you can use to do some transformative things in your organization. As you start using Kafka, everyone starts running it without security, but eventually they realize the need for security. For instance you may want to allow certain users to write to a subset of topics, but not every topic. Similarly you might want certain users to read only a certain set of topics and not every topic. Kafka traditionally implements this with SASL authentication and ACLs. So you create several SASL accounts like so and create ACLs for them. This is a great strategy and all the clients i work with, use this. The only problem i see with this, is that there is no User Interface to Kafka, which can use these SASL accounts. Imagine there was a User Interface which could accept the SASL accounts as logins and then display the topics and messages for that particular SASL account. That can solve a lot of issues many companies face when using Kafka. For instance they don’t want every developer to see all the messages in every topic, since some of these topics might hold confidential data. For this purpose i created the Kafka Web UI tool which i will be going over in this blog.

Kafka Web UI walkthrough

The main purpose of the Kafka Web UI is to allow SASL accounts as login. When you open the UI you will get a login screen where you will enter a SASL account userId, password.

Once you login you will see topics which this SASL user is permitted to see. Refer this on how to use ACLs to restrict SASL account to view only certain topics.

Clock on any topic to expand it and you will see that partitions under this topic.

Click on any partition and you will see the messages inside the partition.

You can do a text search in the messages that are on the screen. To retrieve more messages on the screen increase the max messages from 100 to your desired number.

How to run Kafka Web UI ?

Now that we have gone through what Kafka Web UI can do let’s go over on how to set it up. You can run it in two ways.

• You can build a jar from the source and then run it on a machine with java.
• The other way is to run a docker container using this image.

Both the ways are explained in detail in the Github repo. They need a set of environment variables which is used by the container/jar to connect to the Kafka broker.

You can use this tool to view both JSON and AVRO messages. To view AVRO messages you will need to configure the schema registry URL details. Refer the environment variables to do so.

Please feel free to use it or improve it by collaborating using pull requests or reporting issues.

In the next part of this blog we will talk about using LDAP/AD to login instead of direct SASL accounts.