{"id":25257548,"url":"https://github.com/michelin/ns4kafka","last_synced_at":"2025-04-06T11:08:57.728Z","repository":{"id":37925163,"uuid":"344746548","full_name":"michelin/ns4kafka","owner":"michelin","description":"Namespaces for Apache Kafka.","archived":false,"fork":false,"pushed_at":"2025-03-29T02:30:48.000Z","size":3077,"stargazers_count":79,"open_issues_count":13,"forks_count":11,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-30T10:06:54.126Z","etag":null,"topics":["cluster-management","git-ops","gitops","kafka","kafka-acls","kafka-broker","kafka-connect","kafka-topics","kubernetes","namespace","schema-registry"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/michelin.png","metadata":{"files":{"readme":"README.md","changelog":"changelog-builder.json","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-05T08:37:58.000Z","updated_at":"2025-03-29T02:30:51.000Z","dependencies_parsed_at":"2023-10-03T15:06:47.881Z","dependency_job_id":"b548bf5d-9e71-4b0d-8530-15c5b1ce8949","html_url":"https://github.com/michelin/ns4kafka","commit_stats":null,"previous_names":[],"tags_count":37,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2Fns4kafka","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2Fns4kafka/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2Fns4kafka/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2Fns4kafka/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/michelin","download_url":"https://codeload.github.com/michelin/ns4kafka/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247471520,"owners_count":20944158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cluster-management","git-ops","gitops","kafka","kafka-acls","kafka-broker","kafka-connect","kafka-topics","kubernetes","namespace","schema-registry"],"created_at":"2025-02-12T06:49:03.084Z","updated_at":"2025-04-06T11:08:57.705Z","avatar_url":"https://github.com/michelin.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\r\n\r\n\u003cimg src=\".readme/logo.svg\" alt=\"Ns4Kafka\"/\u003e\r\n\r\n# Ns4Kafka\r\n\r\n[![GitHub Build](https://img.shields.io/github/actions/workflow/status/michelin/ns4kafka/build.yml?branch=master\u0026logo=github\u0026style=for-the-badge)](https://img.shields.io/github/actions/workflow/status/michelin/ns4kafka/build.yml)\r\n[![GitHub release](https://img.shields.io/github/v/release/michelin/ns4kafka?logo=github\u0026style=for-the-badge)](https://github.com/michelin/ns4kafka/releases)\r\n[![GitHub Stars](https://img.shields.io/github/stars/michelin/ns4kafka?logo=github\u0026style=for-the-badge)](https://github.com/michelin/ns4kafka)\r\n[![Docker Pulls](https://img.shields.io/docker/pulls/michelin/ns4kafka?label=Pulls\u0026logo=docker\u0026style=for-the-badge)](https://hub.docker.com/r/michelin/ns4kafka/tags)\r\n[![SonarCloud Coverage](https://img.shields.io/sonar/coverage/michelin_ns4kafka?logo=sonarcloud\u0026server=https%3A%2F%2Fsonarcloud.io\u0026style=for-the-badge)](https://sonarcloud.io/component_measures?id=michelin_ns4kafka\u0026metric=coverage\u0026view=list)\r\n[![SonarCloud Tests](https://img.shields.io/sonar/tests/michelin_ns4kafka/master?server=https%3A%2F%2Fsonarcloud.io\u0026style=for-the-badge\u0026logo=sonarcloud)](https://sonarcloud.io/component_measures?metric=tests\u0026view=list\u0026id=michelin_kstreamplify)\r\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg?logo=apache\u0026style=for-the-badge)](https://opensource.org/licenses/Apache-2.0)\r\n\r\n[Download](#download) • [Install](#install) • [Kafkactl](https://github.com/michelin/kafkactl)\r\n\r\nNamespaces for Apache Kafka.\r\n\r\nNs4Kafka brings a namespace-based deployment model for Kafka resources, inspired by Kubernetes best practices.\r\n\r\n\u003c/div\u003e\r\n\r\n## Table of Contents\r\n\r\n* [Principles](#principles)\r\n * [Namespace Isolation](#namespace-isolation)\r\n * [Desired State](#desired-state)\r\n * [Server Side Validation](#server-side-validation)\r\n * [CLI](#cli)\r\n* [Download](#download)\r\n* [Install](#install)\r\n* [Demo Environment](#demo-environment)\r\n* [Configuration](#configuration)\r\n * [Authentication](#authentication)\r\n * [Methods](#methods)\r\n * [Basic Authentication](#basic-authentication)\r\n * [JWT Bearer](#jwt-bearer)\r\n * [ID Providers](#id-providers)\r\n * [Local Users](#local-users)\r\n * [GitLab](#gitlab)\r\n * [Kafka Broker](#kafka-broker)\r\n * [Security](#security)\r\n * [Stream Catalog](#stream-catalog)\r\n * [Managed Kafka Clusters](#managed-kafka-clusters)\r\n * [AKHQ](#akhq)\r\n * [Sensitive Endpoints](#sensitive-endpoints)\r\n* [RapiDoc](#rapidoc)\r\n* [Administration](#administration)\r\n* [Contribution](#contribution)\r\n\r\n## Principles\r\n\r\nNs4Kafka is an API that provides controllers for listing, creating, and deleting various Kafka resources, including\r\ntopics, connectors, schemas, and Kafka Connect clusters. The solution is built on several principles.\r\n\r\n### Namespace Isolation\r\n\r\nNs4Kafka implements the concept of namespaces, which enable encapsulation of Kafka resources within specific namespaces.\r\nEach namespace can only view and manage the resources that belong to it, with other namespaces being isolated from each\r\nother. This isolation is achieved by assigning ownership of names and prefixes to specific namespaces.\r\n\r\n### Desired State\r\n\r\nWhenever you deploy a Kafka resource using Ns4Kafka, the solution saves it to a dedicated topic and synchronizes the\r\nKafka cluster to ensure that the resource's desired state is achieved.\r\n\r\n### Server Side Validation\r\n\r\nNs4Kafka allows you to apply customizable validation rules to ensure that your resources are configured with the\r\nappropriate values.\r\n\r\n### CLI\r\n\r\nNs4Kafka includes [Kafkactl](https://github.com/michelin/kafkactl), a command-line interface (CLI) that enables you to\r\ndeploy your Kafka resources 'as code' within your namespace using YAML descriptors. This tool can also be used in\r\ncontinuous integration/continuous delivery (CI/CD) pipelines.\r\n\r\n## Download\r\n\r\nYou can download Ns4Kafka as a fat jar from the [GitHub releases page](https://github.com/michelin/ns4kafka/releases) (requires Java 21).\r\n\r\nAdditionally, a Docker image is available on [Docker Hub](https://hub.docker.com/repository/docker/michelin/ns4kafka).\r\n\r\n## Install\r\n\r\nTo operate, Ns4Kafka requires a Kafka broker for data storage and GitLab for user authentication.\r\n\r\nThe solution is built on the [Micronaut framework](https://micronaut.io/) and can be configured with\r\nany [Micronaut property source loader](https://docs.micronaut.io/1.3.0.M1/guide/index.html#_included_propertysource_loaders).\r\n\r\nTo override the default properties from the `application.yml` file, you can set the `micronaut.config.file` system\r\nproperty when running the fat jar file, like so:\r\n\r\n```console\r\njava -Dmicronaut.config.file=application.yml -jar ns4kafka.jar\r\n```\r\n\r\nAlternatively, you can set the `MICRONAUT_CONFIG_FILE` environment variable and then run the jar file without additional\r\nparameters, as shown below:\r\n\r\n```console\r\nMICRONAUT_CONFIG_FILE=application.yml \r\njava -jar ns4kafka.jar\r\n```\r\n\r\n## Demo Environment\r\n\r\nTo run and try out the application, you can use the provided `docker-compose` files located in the `.docker` directory.\r\n\r\n```console\r\ndocker-compose up -d\r\n```\r\n\r\nThis command will start multiple containers, including:\r\n\r\n- 1 Kafka broker (KRaft mode)\r\n- 1 Schema registry\r\n- 1 Kafka Connect\r\n- 1 Control Center\r\n- 1 Ns4Kafka\r\n- 1 Kafkactl\r\n\r\nNote that SASL/SCRAM authentication and authorization using ACLs are enabled on the broker.\r\n\r\nYou can access the Kafkactl container and start deploying resources from the `/resources` directory:\r\n\r\n```console\r\ndocker exec -it kafkactl /bin/bash\r\n```\r\n\r\nBy default, Kafkactl authenticates with Ns4Kafka using the [Local Users](#local-users) authentication method with the `gitlab:admin` credentials.\r\n\r\nIf you want to use GitLab, you can update the configuration files as follows and restart the containers.\r\n\r\n1. Define a GitLab admin group for Ns4Kafka in the `.docker/config/ns4kafka/application.yml` file. You can find an\r\n example [here](#gitlab). It is recommended to choose a GitLab group you belong to in order to have admin\r\n rights.\r\n2. Define a GitLab token for Kafkactl in the `.docker/config/kafkactl/config.yml` file. You can refer to the installation\r\n instructions [here](https://github.com/michelin/kafkactl#install).\r\n3. Define a GitLab group you belong to in the role bindings of the `.docker/resources/admin/namespace.yml` file. This is\r\n demonstrated in the example [here](https://github.com/michelin/kafkactl#role-binding).\r\n\r\nAlternatively, a `docker-compose` file running AKHQ instead of Control Center is available in the `.docker` directory.\r\n\r\n```console\r\ndocker-compose -f docker-compose-akhq.yml up -d\r\n```\r\n\r\n## Configuration\r\n\r\n### Authentication\r\n\r\n#### Methods\r\n\r\nNs4Kafka supports two authentication methods.\r\n\r\n##### Basic Authentication\r\n\r\n```shell\r\ncurl -u username:password http://localhost:8080/api/namespaces/myNamespace/topics\r\n```\r\n\r\n##### JWT Bearer\r\n\r\nThe JWT token can be retrieved using the built-in [Micronaut LoginController](https://micronaut-projects.github.io/micronaut-security/latest/guide/#login) and passed in the `Authorization` header.\r\n\r\n```shell\r\ncurl -X POST -d '{\"username\":\"username\",\"password\":\"password\"}' -H \"Content-Type: application/json\" http://localhost:8080/login\r\n```\r\n\r\nThe delivered JWT token will have the following format:\r\n\r\n```yml\r\n{\r\n \"roleBindings\": [\r\n {\r\n \"namespaces\": [\"myNamespace\"],\r\n \"verbs\": [\r\n \"GET\",\r\n \"POST\",\r\n \"PUT\",\r\n \"DELETE\"\r\n ],\r\n \"resourceTypes\": [\r\n \"schemas\",\r\n \"schemas/config\",\r\n \"topics\",\r\n \"topics/delete-records\",\r\n \"connectors\",\r\n \"connectors/change-state\",\r\n \"acls\",\r\n \"consumer-groups/reset\",\r\n \"streams\",\r\n \"connect-clusters\",\r\n \"connect-clusters/vaults\"\r\n ]\r\n }\r\n ],\r\n \"sub\": \"user.name@mail.com\",\r\n \"nbf\": 1711905057,\r\n \"roles\": [\r\n \"isAdmin()\"\r\n ],\r\n \"iss\": \"ns4kafka\",\r\n \"exp\": 1711908657,\r\n \"iat\": 1711905057\r\n}\r\n```\r\n\r\nThe token will be valid for 1 hour by default.\r\n\r\nThe `roleBindings` field contains the permissions granted to the user.\r\n\r\nAn ID provider is required to authenticate users. The following ID providers are supported.\r\n\r\n#### ID Providers\r\n\r\nNs4Kafka supports two ID providers.\r\n\r\n##### Local Users\r\n\r\nThe local ID provider is intended for testing purposes. It allows authentication using local users defined in the configuration.\r\n\r\n```yaml\r\nns4kafka:\r\n security:\r\n admin-group: adminGroup\r\n local-users:\r\n - username: admin\r\n password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\r\n groups:\r\n - \"adminGroup\"\r\n - username: user\r\n password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\r\n groups:\r\n - \"userGroup\"\r\n```\r\n\r\nThe passwords are hashed using the SHA-256 algorithm.\r\nThe groups used to grant access to namespaces are defined in the `groups` field.\r\n\r\nThe admin group is set to \"adminGroup\" in the example above. Users will be granted admin privileges if they belong to\r\nthe local group \"adminGroup\".\r\n\r\nThe default `application.yml` file includes a sample configuration with a local user named `admin` and a password set to `admin`.\r\n\r\nTo authenticate with Kafkactl using local users, set the username to `gitlab`. The password will serve as the authentication token.\r\n\r\n##### GitLab\r\n\r\nGitLab is recommended for production environments.\r\nIt uses GitLab groups to grant access to namespaces.\r\nFrom a given GitLab token, it retrieves the user's GitLab groups and checks if any of them match any of the role\r\nbindings.\r\n\r\nTo set up authentication with GitLab, you can use the following configuration:\r\n\r\n```yaml\r\nmicronaut:\r\n gitlab:\r\n enabled: true\r\n url: https://gitlab.com\r\n token:\r\n jwt:\r\n signatures:\r\n secret:\r\n generator:\r\n secret: \"changeit\"\r\n\r\nns4kafka:\r\n security:\r\n admin-group: ADMIN_GROUP\r\n```\r\n\r\nThe `micronaut.gitlab.url` property is set to the GitLab instance URL.\r\nThe `micronaut.token.jwt.signatures.secret.generator.secret` property is used to sign the JWT token and should be\r\nchanged update to a secure value.\r\n\r\nThe admin group is set to \"ADMIN_GROUP\" in the example above. Users will be granted admin privileges if they belong\r\nto the GitLab group \"ADMIN_GROUP\".\r\n\r\n### Kafka Broker\r\n\r\nNs4Kafka requires a Kafka broker to store data.\r\n\r\nYou can configure authentication to the Kafka brokers using the following:\r\n\r\n```yaml\r\nkafka:\r\n bootstrap.servers: \"localhost:9092\"\r\n sasl.mechanism: \"PLAIN\"\r\n security.protocol: \"SASL_PLAINTEXT\"\r\n sasl.jaas.config: \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\"admin\\\" password=\\\"admin\\\";\"\r\n```\r\n\r\nThe configuration will depend on the authentication method selected for your broker.\r\n\r\n### Security\r\n\r\nNs4Kafka encrypts sensitive data at rest in topics using AES-256 GCM encryption. This is used to encrypt Kafka Connect sensitive data (i.e., password, aes256 key, aes256 salt).\r\n\r\nEncryption requires a key for both encryption and decryption, which is defined in the following properties:\r\n\r\n```yaml\r\nns4kafka:\r\n security:\r\n aes256-encryption-key: 'changeitchangeitchangeitchangeit'\r\n```\r\n\r\nThe key must be 256 bits long (32 characters).\r\n\r\nIt is recommended to use a different key for each environment.\r\n\r\n### Stream Catalog\r\n\r\nFor Confluent Cloud only, topic tags and description can be synchronized with Ns4Kafka.\r\n\r\nThe synchronization is done with the [Confluent Stream Catalog GraphQL API](https://docs.confluent.io/cloud/current/stream-governance/graphql-apis.html) if you have the appropriate Stream Governance package on Confluent, otherwise with the [Confluent Stream Catalog REST API](https://docs.confluent.io/cloud/current/stream-governance/stream-catalog-rest-apis.html#list-all-topics).\r\n\r\nYou can configure the synchronization using the following properties:\r\n\r\n```yaml\r\nns4kafka:\r\n confluent-cloud:\r\n stream-catalog:\r\n page-size: 500\r\n sync-catalog: true\r\n```\r\n\r\nThe page size is used for the Stream Catalog REST API and is capped at 500 as described in the [Confluent Cloud documentation](https://docs.confluent.io/cloud/current/stream-governance/stream-catalog-rest-apis.html#limits-on-topic-listings).\r\n\r\nReminder that the `config.cluster.id` parameter from [managed cluster properties](#managed-clusters) must be set to use Confluent Cloud.\r\n\r\n### Managed Kafka Clusters\r\n\r\nManaged clusters are the clusters where Ns4Kafka namespaces are deployed, and Kafka resources are managed.\r\n\r\nYou can configure your managed clusters with the following properties:\r\n\r\n```yaml\r\nns4kafka:\r\n managed-clusters:\r\n clusterNameOne:\r\n manage-users: true\r\n manage-acls: true\r\n manage-topics: true\r\n manage-connectors: true\r\n drop-unsync-acls: true\r\n provider: \"SELF_MANAGED\"\r\n config:\r\n bootstrap.servers: \"localhost:9092\"\r\n sasl.mechanism: \"PLAIN\"\r\n security.protocol: \"SASL_PLAINTEXT\"\r\n sasl.jaas.config: \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\"admin\\\" password=\\\"admin\\\";\"\r\n cluster.id: \"lkc-abcde\"\r\n schema-registry:\r\n url: \"http://localhost:8081\"\r\n basicAuthUsername: \"user\"\r\n basicAuthPassword: \"password\"\r\n connects:\r\n connectOne:\r\n url: \"http://localhost:8083\"\r\n basicAuthUsername: \"user\"\r\n basicAuthPassword: \"password\"\r\n```\r\n\r\nThe name for each managed cluster has to be unique. This is this name you have to set in the field **metadata.cluster**\r\nof your namespace descriptors.\r\n\r\n| Property | Type | Required | Description |\r\n|--------------------------------------|---------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| manage-acls | boolean | No | Does the cluster manages access control entries (Default: false) |\r\n| manage-connectors | boolean | No | Does the cluster manages connects (Default: false) |\r\n| manage-topics | boolean | No | Does the cluster manages topics (Default: false) |\r\n| manage-users | boolean | No | Does the cluster manages users (Default: false) |\r\n| drop-unsync-acls | boolean | No | Should unsynchronized acls be dropped (Default: true) |\r\n| timeout.acl.create | int | No | The timeout in milliseconds used by the AdminClient to create acls (Default: 30000ms) |\r\n| timeout.acl.describe | int | No | The timeout in milliseconds used by the AdminClient to describe acls (Default: 30000ms) |\r\n| timeout.acl.delete | int | No | The timeout in milliseconds used by the AdminClient to delete acls (Default: 30000ms) |\r\n| timeout.topic.alter-configs | int | No | The timeout in milliseconds used by the AdminClient to alter topic configs (Default: 30000ms) |\r\n| timeout.topic.create | int | No | The timeout in milliseconds used by the AdminClient to create topics (Default: 30000ms) |\r\n| timeout.topic.describe-configs | int | No | The timeout in milliseconds used by the AdminClient to describe topic configs (Default: 30000ms) |\r\n| timeout.topic.delete | int | No | The timeout in milliseconds used by the AdminClient to delete topics (Default: 30000ms) |\r\n| timeout.topic.list | int | No | The timeout in milliseconds used by the AdminClient to list topics (Default: 30000ms) |\r\n| timeout.user.alter-quotas | int | No | The timeout in milliseconds used by the AdminClient to alter client quotas (Default: 30000ms) |\r\n| timeout.user.alter-scram-credentials | int | No | The timeout in milliseconds used by the AdminClient to alter scram credentials (Default: 30000ms) |\r\n| timeout.user.describe-quotas | int | No | The timeout in milliseconds used by the AdminClient to describe client quotas (Default: 30000ms) |\r\n| provider | boolean | Yes | The kind of cluster. Either SELF_MANAGED or CONFLUENT_CLOUD |\r\n| config.bootstrap.servers | string | Yes | The location of the clusters servers |\r\n| config.cluster.id | string | No | The cluster id. Required to use [Confluent Cloud tags](https://docs.confluent.io/cloud/current/stream-governance/stream-catalog.html). In this case, [Stream Catalog properties](#stream-catalog) must be set. |\r\n| schema-registry.url | string | No | The location of the Schema Registry |\r\n| schema-registry.basicAuthUsername | string | No | Basic authentication username to the Schema Registry |\r\n| schema-registry.basicAuthPassword | string | No | Basic authentication password to the Schema Registry |\r\n| connects.\u003cname\u003e.url | string | No | The location of the kafka connect |\r\n| connects.\u003cname\u003e.basicAuthUsername | string | No | Basic authentication username to the Kafka Connect |\r\n| connects.\u003cname\u003e.basicAuthPassword | string | No | Basic authentication password to the Kafka Connect |\r\n\r\nThe configuration will depend on the authentication method selected for your broker, schema registry and Kafka Connect.\r\n\r\n### AKHQ\r\n\r\n[AKHQ](https://github.com/tchiotludo/akhq) can be integrated with Ns4Kafka to provide access to resources within your\r\nnamespace during the authentication process.\r\n\r\nTo enable this integration, follow these steps:\r\n\r\n1. Configure LDAP authentication in AKHQ.\r\n2. Add the Ns4Kafka claim endpoint to AKHQ's configuration:\r\n\r\n```yaml\r\nakhq:\r\n security:\r\n rest:\r\n enabled: true\r\n url: https://ns4kafka/akhq-claim/v3\r\n```\r\n\r\nFor AKHQ versions from v0.20 to v0.24, use the `/akhq-claim/v2` endpoint.\r\nFor AKHQ versions prior to v0.20, use the `/akhq-claim/v1` endpoint.\r\n\r\n3. In your Ns4Kafka configuration, specify the following settings for AKHQ:\r\n\r\n* For AKHQ versions v0.25 and later\r\n\r\n```yaml\r\nns4kafka:\r\n akhq:\r\n admin-group: LDAP-ADMIN-GROUP\r\n roles:\r\n TOPIC: topic-read\r\n CONNECT: connect-rw\r\n SCHEMA: registry-read\r\n GROUP: group-read\r\n CONNECT_CLUSTER: connect-cluster-read\r\n admin-roles:\r\n TOPIC: topic-admin\r\n CONNECT: connect-admin\r\n SCHEMA: registry-admin\r\n GROUP: group-read\r\n CONNECT_CLUSTER: connect-cluster-read \r\n```\r\n\r\n* For AKHQ versions prior to v0.25\r\n\r\n```yaml\r\nns4kafka:\r\n akhq:\r\n admin-group: LDAP-ADMIN-GROUP\r\n former-admin-roles:\r\n - topic/read\r\n - topic/data/read\r\n - group/read\r\n - registry/read\r\n - connect/read\r\n - connect/state/update\r\n - users/reset-password\r\n group-label: support-group\r\n former-roles:\r\n - topic/read\r\n - topic/data/read\r\n - group/read\r\n - registry/read\r\n - connect/read\r\n - connect/state/update\r\n```\r\n\r\nIf the admin group is set to \"LDAP-ADMIN-GROUP\", users belonging to this LDAP group will be granted admin privileges.\r\n\r\n4. In your namespace configuration, define an LDAP group:\r\n\r\n```yaml\r\napiVersion: v1\r\nkind: Namespace\r\nmetadata:\r\n name: myNamespace\r\n cluster: local\r\n labels:\r\n contacts: namespace.owner@example.com\r\n support-group: NAMESPACE-LDAP-GROUP\r\n```\r\n\r\nOnce the configuration is in place, after successful authentication in AKHQ, users belonging to\r\nthe `NAMESPACE-LDAP-GROUP` will be able to access the resources within the `myNamespace` namespace.\r\n\r\n### Sensitive Endpoints\r\n\r\nMicronaut sensitive endpoints can be enabled or disabled in the application configuration.\r\nThe list of sensitive endpoints can be found in\r\nthe [Micronaut documentation](https://docs.micronaut.io/latest/guide/#providedEndpoints).\r\n\r\nThese endpoints are disabled by default in Ns4Kafka and can be enabled by setting the `endpoints.*.enabled` property\r\nto `true`.\r\nWhen enabled, these endpoints require to be authenticated as an admin user to be accessed.\r\n\r\n## RapiDoc\r\n\r\nNs4Kafka provides a [RapiDoc](https://rapidocweb.com/) interface to interact with the API.\r\n\r\nBy default:\r\n- The RapiDoc interface is available at http://localhost:8080/rapidoc.\r\n- The OpenAPI description is available at http://localhost:8080/swagger/ns4kafka-0.1.yml.\r\n\r\nYou can authenticate using the `POST /login` endpoint and then use the `HTTP Bearer` button to add the JWT token \r\nin the `Authorization` header.\r\n\r\nRefers to the [Authentication](#authentication) section for details on the required credentials.\r\n\r\n## Administration\r\n\r\nThe setup of namespaces, owner ACLs, role bindings, and quotas is the responsibility of Ns4Kafka administrators, as\r\nthese resources define the context in which project teams will work. To create your first namespace, please refer to\r\nthe [Kafkactl documentation](https://github.com/michelin/kafkactl/blob/main/README.md#administrator).\r\n\r\n## Contribution\r\n\r\nWe welcome contributions from the community! Before you get started, please take a look at\r\nour [contribution guide](https://github.com/michelin/ns4kafka/blob/master/CONTRIBUTING.md) to learn about our guidelines\r\nand best practices. We appreciate your help in making Ns4Kafka a better tool for everyone.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichelin%2Fns4kafka","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmichelin%2Fns4kafka","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichelin%2Fns4kafka/lists"}