Skip to content

Add minimum Kafka ACL permissions for Kafka Monitoring and Messages #35817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
piochelepiotr wants to merge 1 commit into
base: master
Choose a base branch
from
+23 −0
Open

Add minimum Kafka ACL permissions for Kafka Monitoring and Messages #35817

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions content/en/data_streams/kafka/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,18 @@ With Data Streams Monitoring's Kafka Monitoring, a Datadog Agent check connects

Go to the [Kafka Monitoring setup page][1] and click {{< ui >}}Get Started{{< / ui >}}. Then choose your environment and follow the instructions. To request assistance, choose {{< ui >}}Request a pairing session{{< /ui >}}.

### Kafka ACL permissions
Copy link
Copy Markdown
Contributor

@domalessi domalessi Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ACL section is inserted between the setup paragraph and the kafka_setup-2.png image, which breaks the flow — that image illustrates the setup dialog described in the paragraph above it. I think the move would be to shift the ### Kafka ACL permissions to after the image and its following paragraph


If your Kafka cluster uses ACLs, the Datadog Agent user requires the following minimum permissions:

| Resource Name | Resource Type | Operation |
|---------------|---------------|------------------|
| `kafka-cluster` | `CLUSTER` | `Describe` |
| `kafka-cluster` | `CLUSTER` | `DescribeConfigs` |
| `*` | `TOPIC` | `Describe` |
| `*` | `TOPIC` | `DescribeConfigs` |
| `*` | `GROUP` | `Describe` |

{{< img src="data_streams/kafka_setup-2.png" alt="The Kafka Monitoring setup dialog showing environment selection, security protocol, schema registry options, and Kubernetes configuration instructions" >}}

The setup page provides environment-specific configuration instructions. You can copy the instructions directly to an AI agent with **Copy for AI**.
Expand Down
11 changes: 11 additions & 0 deletions content/en/data_streams/kafka/messages.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,16 @@ Ensure [remote configuration][3] is set up for the agent running the Kafka Consu
1. In Datadog, under [Remote Configuration][13], check that remote configuration is enabled at the organization level.
2. In Datadog, under [Remote Configuration][13], check that the agent running the Kafka Consumer integration has remote configuration enabled, and is using an API key with remote configuration enabled.

## Kafka ACL permissions
Copy link
Copy Markdown
Contributor

@domalessi domalessi Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having ## Kafka ACL permissions immediately followed by ## Required permissions is confusing — both are about permissions but they cover different things (Kafka cluster access for the Agent vs. Datadog RBAC for the user), and there's nothing to explain the distinction.

I'd suggest one of:

  1. Group under a single section: Wrap both under ## Permissions with H3 subsections, and rename ## Required permissions to ### Datadog user permissions.
  2. Move into Prerequisites: Since Kafka ACL permissions are a prerequisite for the feature to work, nest ### Kafka ACL permissions under ## Prerequisites alongside the existing Agent version and remote configuration prerequisites. Then ## Required permissions stands alone covering only Datadog RBAC.
  3. Keep the structure but add a framing sentence to ## Required permissions: "In addition to Kafka ACL permissions, you must have the following Datadog account permissions:" — this at least signals the distinction without reorganizing.

I think option 2 perhaps is the best move.


If your Kafka cluster uses ACLs, the Datadog Agent user requires the following minimum permissions to read messages:

| Resource Name | Resource Type | Operation |
|---------------|---------------|-----------|
| `*` | `TOPIC` | `Read` |

These permissions are in addition to the [Kafka Monitoring permissions][14].

## Required permissions

You must have the `Data Streams Monitoring Capture Messages` permission, and these logs permissions that are part of the Datadog Standard role:
Expand Down Expand Up @@ -94,3 +104,4 @@ To enable permissions, edit an existing role or create a new one on the [Roles p
[11]: /integrations/kafka-consumer/?tab=host#validation
[12]: https://app.datadoghq.com/fleet
[13]: https://app.datadoghq.com/organization-settings/remote-config
[14]: /data_streams/kafka/#kafka-acl-permissions
Loading