Add minimum Kafka ACL permissions for Kafka Monitoring and Messages#35817
Merged
piochelepiotr merged 7 commits intomasterfrom Apr 15, 2026
Merged
Add minimum Kafka ACL permissions for Kafka Monitoring and Messages#35817piochelepiotr merged 7 commits intomasterfrom
piochelepiotr merged 7 commits intomasterfrom
Conversation
Document the minimum Kafka ACL permissions required for the Datadog Agent when connecting to ACL-enabled Kafka clusters. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Preview links (active after the
|
domalessi
reviewed
Apr 7, 2026
Contributor
domalessi
left a comment
domalessi
left a comment
There was a problem hiding this comment.
Thanks for the PR! Left some feedback. Let me know if you have any Qs.
|
|
||
| Go to the [Kafka Monitoring setup page][1] and click {{< ui >}}Get Started{{< / ui >}}. Then choose your environment and follow the instructions. To request assistance, choose {{< ui >}}Request a pairing session{{< /ui >}}. | ||
|
|
||
| ### Kafka ACL permissions |
Contributor
There was a problem hiding this comment.
The ACL section is inserted between the setup paragraph and the kafka_setup-2.png image, which breaks the flow — that image illustrates the setup dialog described in the paragraph above it. I think the move would be to shift the ### Kafka ACL permissions to after the image and its following paragraph
Contributor
Author
There was a problem hiding this comment.
Makes sense, moved it
| 1. In Datadog, under [Remote Configuration][13], check that remote configuration is enabled at the organization level. | ||
| 2. In Datadog, under [Remote Configuration][13], check that the agent running the Kafka Consumer integration has remote configuration enabled, and is using an API key with remote configuration enabled. | ||
|
|
||
| ## Kafka ACL permissions |
Contributor
There was a problem hiding this comment.
Having ## Kafka ACL permissions immediately followed by ## Required permissions is confusing — both are about permissions but they cover different things (Kafka cluster access for the Agent vs. Datadog RBAC for the user), and there's nothing to explain the distinction.
I'd suggest one of:
- Group under a single section: Wrap both under ## Permissions with H3 subsections, and rename ## Required permissions to ### Datadog user permissions.
- Move into Prerequisites: Since Kafka ACL permissions are a prerequisite for the feature to work, nest ### Kafka ACL permissions under ## Prerequisites alongside the existing Agent version and remote configuration prerequisites. Then ## Required permissions stands alone covering only Datadog RBAC.
- Keep the structure but add a framing sentence to ## Required permissions: "In addition to Kafka ACL permissions, you must have the following Datadog account permissions:" — this at least signals the distinction without reorganizing.
I think option 2 perhaps is the best move.
Contributor
Author
There was a problem hiding this comment.
Actually, I'm planning to delete that page. Today, this page refers to a version of the feature we want to deprecate. So I've made updates only to the main 'Kafka' page, and will delete the messages page once agent 7.78 is released.
- Move ACL permissions section after the setup image and paragraph in _index.md - Nest Kafka ACL permissions under Prerequisites (as H3) in messages.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a second table for Read on TOPIC (message viewing) below the monitoring permissions table. Revert all changes to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete the separate messages.md page and add aliases for redirects. Remove the Messages nav menu entry. Update _index.md to remove the dead link to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restore messages.md and nav menu to original state. ACL permissions for both monitoring and message reading are in the Kafka Monitoring page only. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
domalessi
approved these changes
Apr 8, 2026
Contributor
domalessi
left a comment
domalessi
left a comment
There was a problem hiding this comment.
Thanks for the change! This is better, although I think that moving the ACL stuff into a prerequisites section would be ideal. See my suggestions! I'm approving so that you can commit those if you like that format, and then proceed to merge this in.
Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
jeff-morgan-dd
pushed a commit
that referenced
this pull request
Apr 16, 2026
…35817) * Add minimum Kafka ACL permissions for Kafka Monitoring and Messages Document the minimum Kafka ACL permissions required for the Datadog Agent when connecting to ACL-enabled Kafka clusters. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address PR review comments - Move ACL permissions section after the setup image and paragraph in _index.md - Nest Kafka ACL permissions under Prerequisites (as H3) in messages.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Move message reading permissions to _index.md, revert messages.md Add a second table for Read on TOPIC (message viewing) below the monitoring permissions table. Revert all changes to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Remove messages.md, consolidate into Kafka Monitoring page Delete the separate messages.md page and add aliases for redirects. Remove the Messages nav menu entry. Update _index.md to remove the dead link to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Revert messages.md deletion, keep ACL permissions in _index.md only Restore messages.md and nav menu to original state. ACL permissions for both monitoring and message reading are in the Kafka Monitoring page only. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update content/en/data_streams/kafka/_index.md Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> * Update content/en/data_streams/kafka/_index.md Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
StefonSimmons
pushed a commit
that referenced
this pull request
Apr 16, 2026
…35817) * Add minimum Kafka ACL permissions for Kafka Monitoring and Messages Document the minimum Kafka ACL permissions required for the Datadog Agent when connecting to ACL-enabled Kafka clusters. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address PR review comments - Move ACL permissions section after the setup image and paragraph in _index.md - Nest Kafka ACL permissions under Prerequisites (as H3) in messages.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Move message reading permissions to _index.md, revert messages.md Add a second table for Read on TOPIC (message viewing) below the monitoring permissions table. Revert all changes to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Remove messages.md, consolidate into Kafka Monitoring page Delete the separate messages.md page and add aliases for redirects. Remove the Messages nav menu entry. Update _index.md to remove the dead link to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Revert messages.md deletion, keep ACL permissions in _index.md only Restore messages.md and nav menu to original state. ACL permissions for both monitoring and message reading are in the Kafka Monitoring page only. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update content/en/data_streams/kafka/_index.md Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> * Update content/en/data_streams/kafka/_index.md Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
jeff-morgan-dd
added a commit
that referenced
this pull request
Apr 16, 2026
* Adding backlog of blog links * Clean up blog links * Remove duplicate link * Update content/en/monitors/configuration/_index.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update content/en/sheets/_index.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update content/en/monitors/_index.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update content/en/service_level_objectives/_index.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update content/en/observability_pipelines/rehydration.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update content/en/network_monitoring/network_path/_index.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Remove unrelated links per suggestions from code review Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Updating link order * Reorganize links for consistent ordering * Link ordering updates * Apply suggestions from code review Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update content/en/actions/agents/_index.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * [CONTINT-5127] Update cluster naming rules (#35000) * Update cluster naming rules Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update SCA vulnerability database timing to include malicious packages (#35989) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * [RUM] RUM Managed Archive (#35691) * Add initial documentation for RUM Managed Archive * Update RUM Managed Archive docs and add screenshots * Update RUM Managed Archive docs with navigation, setup, and query improvements * Restructure How Managed Archive works section and refine note formatting * Update content/en/real_user_monitoring/managed_archive.md Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> * Update content/en/real_user_monitoring/managed_archive.md Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> * Update content/en/real_user_monitoring/managed_archive.md Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> * Update content/en/real_user_monitoring/managed_archive.md Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> * Update content/en/real_user_monitoring/managed_archive.md Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> * Apply reviewer suggestions to managed_archive.md * Remove redundant paragraph, move bullets before screenshot * Update screenshots and refine Recover sessions section * Remove overview screenshot and unused asset * Remove preview callout --------- Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> * [MLOB] update llm observability auto-instrumentation docs (#34538) * cut down on troubleshooting sections, add package and integration names * Update content/en/llm_observability/instrumentation/auto_instrumentation.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Update content/en/llm_observability/instrumentation/auto_instrumentation.md Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * add in link reference * fix link location --------- Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> * Remove otel. metric prefix documentation (#35828) * Remove otel. metric prefix documentation The Datadog Exporter no longer prepends otel. to system.* and process.* metrics. Update docs to reflect the new behavior across metrics mapping, query metrics, runtime metrics, and Kafka metrics pages. * Clean up redundant section and orphaned link refs Remove the "How OpenTelemetry metrics appear in Datadog" section that was restating the overview. Simplify runtime metrics prefix sentence and remove unused link definitions. * add reference tables toolset doc to MCP docs (#35140) * add reference tables toolset doc to MCP docs * address PR suggestions: use backticks for inline values * [OTAGENT-923] Add docs for DDOT Windows preview (#35951) * Draft DDOT windows docs * Apply suggestion from @brett0000FF Co-authored-by: Brett Blue <84536271+brett0000FF@users.noreply.github.com> --------- Co-authored-by: Brett Blue <84536271+brett0000FF@users.noreply.github.com> * Add fleet tracers, clusters, and instrumented pods endpoints (#35881) Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com> * Add unified SDK mobile vitals cdocs pages (#35860) * Migrate mobile vitals pages to unified SDK cdocs format Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add shared overview partial to mobile vitals shortcodes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * update/remove image and navigation * fixes * [DOCS-11179] Rearrange track user interactions * Revert "[DOCS-11179] Rearrange track user interactions" This reverts commit 0f69929. * correct and add links per dom comments --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * [DOCS-13867] Fix DatadogProviderConfiguration constructor in Expo setup code sample (#35855) * Fix DatadogProviderConfiguration constructor in Expo setup code sample The code sample used invalid JavaScript syntax, passing configuration properties as flat positional arguments instead of wrapping them in an options object as the SDK constructor expects. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add TrackingConsent import and fix constructor in React Native setup snippets Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update generate_metrics.md to remove access request info (#35992) Removed callout about requesting access to custom metrics from traces. * e-linds/Update inferred_services.md (#36014) * e-linds/Update installation.md with namespace context (#36011) * e-linds/Update installation.md with namespace context * Update content/en/containers/kubernetes/installation.md Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> --------- Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> * Reorganize MCP Server toolsets and tools (Redux) [DOCS-13846] (#35931) * move tools to new separate page, add to nav * move Toolsets section from _index.md to setup.md * clean up _index.md: remove moved sections, add tools pointer and further reading * update cross-refs in setup.md, remove redundant heading from tools.md * add toolset section headers and rewrite intro in tools.md * add Dashboards tools, reorder & create new section per #35891 * fix heading, links * add toolset descriptions to new Tools page * update from master: add alerting tools per #35941 * reorder toolsets instructions & list * split toolsets into GA and Preview lists * add short toolset setup instructions to Tools page * add link to Toolsets section from landing page * fix heading capitalization (sentence-case) * update from master: add reference tables toolset per #35140 * apply feedback from review * [DOCS-13990] Update SSI instrumentation rules docs for Linux and Windows (#35980) * [DOCS-13990] Add instrumentation rules to Windows SSI docs, update Linux - Remove preview callout from Linux instrumentation rules section - Update attributes table on Linux: rename Executable File Path to Executable Full Path, add Entry Point File - Add Define instrumentation rules section to Windows SSI page with full attributes table including IIS Application Pool - Add example use cases with annotated screenshots to both pages Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [DOCS-13990] Address PR review feedback - Add Advanced options section to Windows page, move instrumentation rules under it - Add second example to both Linux and Windows using collapse-content menus - Fix alt text: shorten and add missing periods - Trim Entry Point File and IIS Application Pool table descriptions - Soften absolute claim in IIS Application Pool description Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [DOCS-13990] Remove periods from alt text Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [DOCS-13990] Use HTML tags for code and bold inside collapse-content shortcodes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [DOCS-13990] Add Linux example 2 image and update example text Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [DOCS-13990] Fix missing article and style IIS Application Pool in examples Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Apply suggestions from code review Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * [BITS-4136] Add retention info for Bits AI SRE investigations (#35550) * add retention info for Bits AI SRE investigations * Update content/en/data_security/data_retention_periods.md --------- Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> * Add minimum Kafka ACL permissions for Kafka Monitoring and Messages (#35817) * Add minimum Kafka ACL permissions for Kafka Monitoring and Messages Document the minimum Kafka ACL permissions required for the Datadog Agent when connecting to ACL-enabled Kafka clusters. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address PR review comments - Move ACL permissions section after the setup image and paragraph in _index.md - Nest Kafka ACL permissions under Prerequisites (as H3) in messages.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Move message reading permissions to _index.md, revert messages.md Add a second table for Read on TOPIC (message viewing) below the monitoring permissions table. Revert all changes to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Remove messages.md, consolidate into Kafka Monitoring page Delete the separate messages.md page and add aliases for redirects. Remove the Messages nav menu entry. Update _index.md to remove the dead link to messages.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Revert messages.md deletion, keep ACL permissions in _index.md only Restore messages.md and nav menu to original state. ACL permissions for both monitoring and message reading are in the Kafka Monitoring page only. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update content/en/data_streams/kafka/_index.md Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> * Update content/en/data_streams/kafka/_index.md Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> * Add private: true to mobile vitals Cdocs pages (#36013) * Add private: true to mobile vitals Cdocs pages Mark the unified client_sdks/mobile_vitals and all SDK-specific mobile vitals wrapper pages as private so they are excluded from sitemap and search. * Remove private: true from SDK-specific mobile vitals pages * adding files (#36022) * tag files in account management folder (#36017) * [SDTEST-3547] Updated test tags examples (#35994) * updated test tags examples * updated variable name * Pull WP agent documentation from 7.78.x branch (#36007) * feat: add context to the chat (#35950) * Add team and assignee filters for Search Error Tracking Issues API (#35900) Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com> * follow-up fixes to toolsets instructions (#36019) * [Phrase] Translation Updates - 2026-04-01 (#35694) * Updates 18 translation(s) * Reverted further_reading tags from English back to translated language * claude assist Signed-off-by: Brian Deutsch <brian.deutsch@datadoghq.com> * inject headings to backfill anchor links Signed-off-by: Brian Deutsch <brian.deutsch@datadoghq.com> --------- Signed-off-by: Brian Deutsch <brian.deutsch@datadoghq.com> Co-authored-by: webops-guacbot[bot] <214537265+webops-guacbot[bot]@users.noreply.github.com> Co-authored-by: jeff-morgan-dd <jeff.morgan@datadoghq.com> Co-authored-by: Brian Deutsch <brian.deutsch@datadoghq.com> * [Phrase] [Phase 2+3] Translation Updates - 2026-04-15 (#36016) * Updates 52 translation(s) * claude fixes Signed-off-by: Brian Deutsch <brian.deutsch@datadoghq.com> --------- Signed-off-by: Brian Deutsch <brian.deutsch@datadoghq.com> Co-authored-by: webops-guacbot[bot] <214537265+webops-guacbot[bot]@users.noreply.github.com> Co-authored-by: Brian Deutsch <brian.deutsch@datadoghq.com> * fix: restore correct OWASP acronym expansion in terms glossary (#36036) JJ-Change-Id: mwoxlk Co-authored-by: May Lee <may.lee@datadoghq.com> * Clarify OpenTelemetry output format support for metrics (#36029) Updated note on metric streaming to clarify support for OpenTelemetry output formats. * Resolve merge conflict --------- Signed-off-by: Brian Deutsch <brian.deutsch@datadoghq.com> Co-authored-by: Bryce Eadie <bryce.eadie@datadoghq.com> Co-authored-by: Jon Rosario <jon.rosario@datadoghq.com> Co-authored-by: Gorka Vicente <gorka.vicente@datadoghq.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: qsellem <quentin.sellem@datadoghq.com> Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com> Co-authored-by: Sam Brenner <106700075+sabrenner@users.noreply.github.com> Co-authored-by: Brett Blue <84536271+brett0000FF@users.noreply.github.com> Co-authored-by: Guillaume Brizolier <33810550+g-brizolier@users.noreply.github.com> Co-authored-by: Stanley Liu <stanley.liu@datadoghq.com> Co-authored-by: api-clients-generation-pipeline[bot] <54105614+api-clients-generation-pipeline[bot]@users.noreply.github.com> Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com> Co-authored-by: Ida Adjivon <65119712+iadjivon@users.noreply.github.com> Co-authored-by: Merve Bolat <171807277+mervebolatdd@users.noreply.github.com> Co-authored-by: e-linds <145630671+e-linds@users.noreply.github.com> Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@datadoghq.com> Co-authored-by: Dan Hodge <dan.hodge@datadoghq.com> Co-authored-by: Piotr WOLSKI <piotr.wolski42@gmail.com> Co-authored-by: cecilia saixue wat-kim <cecilia.watt@datadoghq.com> Co-authored-by: Yehor Popovych <yehor.popovych@datadoghq.com> Co-authored-by: Yoann Ghigoff <yoann.ghigoff@datadoghq.com> Co-authored-by: Reda El Issati <41970812+onceLearner@users.noreply.github.com> Co-authored-by: webops-guacbot[bot] <214537265+webops-guacbot[bot]@users.noreply.github.com> Co-authored-by: Brian Deutsch <brian.deutsch@datadoghq.com> Co-authored-by: Romain Marcadier <romain.muller@telecomnancy.net> Co-authored-by: May Lee <may.lee@datadoghq.com> Co-authored-by: helenefav <75643156+helenefav@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Readon Topic permission required for message retrievalTest plan
🤖 Generated with Claude Code