Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
- Features
- Quick Preview
- Installation
- Configuration
- Api
- Monitoring Endpoint
- Development Environment
- Who's using AKHQ
- General
- Works with modern Kafka cluster (1.0+)
- Connection on standard or ssl, sasl cluster
- Multi cluster
- Topics
- List
- Configurations view
- Partitions view
- ACLS view
- Consumers groups assignments view
- Node leader & assignments view
- Create a topic
- Configure a topic
- Delete a topic
- Browse Topic datas
- View data, offset, key, timestamp & headers
- Automatic deserializarion of avro message encoded with schema registry
- Configurations view
- Logs view
- Delete a record
- Sort view
- Filter per partitions
- Filter with a starting time
- Filter data with a search string
- Consumer Groups (only with kafka internal storage, not with old Zookeeper)
- List with lag, topics assignments
- Partitions view & lag
- ACLS view
- Node leader & assignments view
- Display active and pending consumers groups
- Delete a consumer group
- Update consumer group offsets to start / end / timestamp
- Schema Registry
- List schema
- Create / Update / Delete a schema
- View and delete individual schema version
- Connect
- List connect definition
- Create / Update / Delete a definition
- Pause / Resume / Restart a definition or a task
- Nodes
- List
- Configurations view
- Logs view
- Configure a node
- ACLS
- List principals
- List principals topic & group acls
- Authentification and Roles
- Read only mode
- BasicHttp with roles per user
- User groups configuration
- Filter topics with regexp for current groups
- Ldap configuration to match AKHQ groups/roles
- Download docker-compose.yml file
- run
docker-compose pull
to be sure to have the last version of AKHQ - run
docker-compose up
- go to https://localhost:8080
It will start a Kafka node, a Zookeeper node, a Schema Registry, a Connect, fill with some sample data, start a consumer group and a kafka stream & start AKHQ.
First you need a configuration files in order to configure AKHQ connections to Kafka Brokers.
docker run -d \
-p 8080:8080 \
-v /tmp/application.yml:/app/application.yml \
tchiotludo/akhq
- With
-v /tmp/application.yml
must be an absolute path to configuration file - Go to https://localhost:8080
- Install Java 11
- Download the latest jar on release page
- Create an configuration files
- Launch the application with
java -Dmicronaut.config.files=/path/to/application.yml -jar akhq.jar
- Go to https://localhost:8080
- Add the AKHQ helm charts repository:
helm repo add akhq https://akhq.io/
- Install it:
helm install --name akhq akhq/akhq
- Clone the repository:
git clone https://github.com/tchiotludo/akhq && cd akhq/deploy/helm/akhq
- Update helm values located in deploy/helm/values.yaml
configuration
values will contains all related configuration that you can find in application.example.yml and will be store in aConfigMap
secrets
values will contains all sensitive configurations (with credentials) that you can find in application.example.yml and will be store inSecret
- Both values will be merged at startup
- Apply the chart:
helm install --name=akhq-release-name .
Configuration file can by default be provided in either Java properties, YAML, JSON or Groovy files. YML Configuration file example can be found here :application.example.yml
By default, the docker container will run with a jvm.options file, you can override it with
your own with an Environment Variable. With the JVM_OPTS_FILE
environment variable, you can override the jvm.options file by passing
the path of your file instead.
Override the JVM_OPTS_FILE
with docker run:
docker run -d \
--env JVM_OPTS_FILE={{path-of-your-jvm.options-file}}
-p 8080:8080 \
-v /tmp/application.yml:/app/application.yml \
tchiotludo/akhq
Override the JVM_OPTS_FILE
with docker-compose:
version: '3.7'
services:
akhq:
image: tchiotludo/akhq-jvm:dev
environment:
JVM_OPTS_FILE: /app/jvm.options
ports:
- "8080:8080"
volumes:
- /tmp/application.yml:/app/application.yml
If you do not override the JVM_OPTS_FILE
, the docker container will take the defaults one instead.
akhq.connections
is a key value configuration with :key
: must be an url friendly (letter, number, _, -, ... dot are not allowed here) string the identify your cluster (my-cluster-1
andmy-cluster-2
is the example above)properties
: all the configurations found on Kafka consumer documentation. Most important isbootstrap.servers
that is a list of host:port of your Kafka brokers.schema-registry
: (optional)url
: the schema registry urlbasic-auth-username
: schema registry basic auth usernamebasic-auth-password
: schema registry basic auth passwordproperties
: all the configurations for registry client, especially ssl configuration
connect
: (optional list, define each connector as a element of a list)name
: connect nameurl
: connect urlbasic-auth-username
: connect basic auth usernamebasic-auth-password
: connect basic auth passwordssl-trust-store
: /app/truststore.jksssl-trust-store-password
: trust-store-passwordssl-key-store
: /app/truststore.jksssl-key-store-password
: key-store-password
Configuration example for kafka cluster secured by ssl for saas provider like aiven (full https & basic auth):
You need to generate a jks & p12 file from pem, cert files give by saas provider.
openssl pkcs12 -export -inkey service.key -in service.cert -out client.keystore.p12 -name service_key
keytool -import -file ca.pem -alias CA -keystore client.truststore.jks
Configurations will look like this example:
akhq:
connections:
ssl-dev:
properties:
bootstrap.servers: "{{host}}.aivencloud.com:12835"
security.protocol: SSL
ssl.truststore.location: {{path}}/avnadmin.truststore.jks
ssl.truststore.password: {{password}}
ssl.keystore.type: "PKCS12"
ssl.keystore.location: {{path}}/avnadmin.keystore.p12
ssl.keystore.password: {{password}}
ssl.key.password: {{password}}
schema-registry:
url: "https://{{host}}.aivencloud.com:12838"
basic-auth-username: avnadmin
basic-auth-password: {{password}}
properties: {}
connect:
- name: connect-1
url: "https://{{host}}.aivencloud.com:{{port}}"
basic-auth-username: avnadmin
basic-auth-password: {{password}}
akhq.pagination.page-size
number of topics per page (default : 25)
akhq.topic.default-view
is default list view (ALL, HIDE_INTERNAL, HIDE_INTERNAL_STREAM, HIDE_STREAM)akhq.topic.internal-regexps
is list of regexp to be considered as internal (internal topic can't be deleted or updated)akhq.topic.stream-regexps
is list of regexp to be considered as internal stream topicakhq.topic.skip-consumer-groups
disable loading of consumer group information when showing topics (true
), default is to load the information
These parameters are the default values used in the topic creation page.
akhq.topic.retention
Default retention in msakhq.topic.replication
Default number of replica to useakhq.topic.partition
Default number of partition
akhq.topic-data.sort
: default sort order (OLDEST, NEWEST) (default: OLDEST)akhq.topic-data.size
: max record per page (default: 50)akhq.topic-data.poll-timeout
: The time, in milliseconds, spent waiting in poll if data is not available in the buffer (default: 1000).
akhq.security.default-group
: Default group for all the user even unlogged user. By default, the default group isadmin
and allow you all read / write access on the whole app.
By default, security & roles is enabled by default but anonymous user have full access. You can completely disabled
security with micronaut.security.enabled: false
.
If you need a read-only application, simply add this to your configuration files :
akhq:
security:
default-group: reader
Groups allow you to limit user
Define groups with specific roles for your users
-
akhq.security.default-group
: Default group for all the user even unlogged user -
akhq.security.groups
: Groups list definitiongroup-name
: Group identifierroles
: Roles list for the groupattributes.topics-filter-regexp
: Regexp to filter topics available for current group
3 defaults group are available :
admin
with all rightreader
with only read acces on all AKHQno-roles
without any roles, that force user to login
akhq.security.basic-auth
: List user & password with affected rolesactual-username
: Login of the current user as a yaml key (may be anything email, login, ...)password
: Password in sha256, can be converted with commandecho -n "password" | sha256sum
groups
: Groups for current user
Take care that basic auth will use session store in server memory. If your instance is behind a reverse proxy or a loadbalancer, you will need to forward the session cookie named
SESSION
and / or use sesssion stickiness
Configure how the ldap groups will be matched in AKHQ groups
akhq.security.ldap.group
: Ldap groups listldap-group-name
: Ldap group name (same name as in ldap)groups
: AKHQ group list to be used for current ldap group
Example using online ldap test server
Configure ldap connection in micronaut
micronaut:
security:
ldap:
default:
enabled: true
context:
server: 'ldap:https://ldap.forumsys.com:389'
managerDn: 'cn=read-only-admin,dc=example,dc=com'
managerPassword: 'password'
search:
base: "dc=example,dc=com"
groups:
enabled: true
base: "dc=example,dc=com"
If you want to enable anonymous auth to your LDAP server you can pass :
managerDn: ''
managerPassword: ''
Debuging ldap connection can be done with
curl -i -X POST -H "Content-Type: application/json" \
-d '{ "configuredLevel": "TRACE" }' \
https://localhost:8080/loggers/io.micronaut.configuration.security
Configure AKHQ groups and Ldap groups and users
akhq:
security:
groups:
topic-reader: # just a key, no matter will be override by name below
name: "topic-reader" # Group name
roles: # roles for the group
- topic/read
attributes:
# Regexp to filter topic available for group
topics-filter-regexp: "test\\.reader.*"
topic-writer: # just a key, no matter will be override by name below
name: "topic-writer" # Group name
roles:
- topic/read
- topic/insert
- topic/delete
- topic/config/update
attributes:
topics-filter-regexp: "test.*"
ldap:
group:
mathematicians:
groups:
- topic-reader
scientists:
groups:
- topic-reader
- topic-writer
user:
franz:
groups:
- topic-reader
- topic-writer
akhq.server.base-path
: if behind a reverse proxy, path to akhq with trailing slash (optional). Example: akhq is behind a reverse proxy with url https://my-server/akhq, set base-path: "/akhq/". Not needed if you're behind a reverse proxy with subdomain https://akhq.my-server/
akhq.clients-defaults.{{admin|producer|consumer}}.properties
: default configuration for admin producer or consumer. All properties from Kafka documentation is available.
Since AKHQ is based on Micronaut, you can customize configurations (server port, ssl, ...) with Micronaut configuration. More information can be found on Micronaut documentation
AKHQ docker image support 3 environment variables to handle configuraiton :
AKHQ_CONFIGURATION
: a string that contains the full configuration in yml that will be written on /app/configuration.yml on container.MICRONAUT_APPLICATION_JSON
: a string that contains the full configuration in JSON formatMICRONAUT_CONFIG_FILES
: a path to to a configuration file on container. Default path is/app/application.yml
Take care when you mount configuration files to not remove akhq files located on /app.
You need to explicitely mount the /app/application.yml
and not mount the /app
directory.
This will remove the AKHQ binnaries and give you this error: /usr/local/bin/docker-entrypoint.sh: 9: exec: ./akhq: not found
volumeMounts:
- mountPath: /app/application.yml
subPath: application.yml
name: config
readOnly: true
An experimental api is available that allow you to fetch all the exposed on AKHQ through api.
Take care that this api is experimental and will change in a future release. Some endpoint expose too many datas and is slow to fetch, and we will remove some properties in a future in order to be fast.
Example: List topic endpoint expose log dir, consumer groups, offsets. Fetching all of theses is slow for now and we will remove these in a future.
You can discover the api endpoint here :
/api
: a RapiDoc webpage that document all the endpoints./swagger/akhq.yml
: a full OpenApi specifications files
Several monitoring endpoint is enabled by default. You can disabled it or restrict access only for authenticated users following micronaut configuration below.
/info
Info Endpoint with git status informations./health
Health Endpoint/loggers
Loggers Endpoint/metrics
Metrics Endpoint/prometheus
Prometheus Endpoint
You can debug all query duration from AKHQ with this commands
curl -i -X POST -H "Content-Type: application/json" \
-d '{ "configuredLevel": "TRACE" }' \
https://localhost:8080/loggers/org.akhq
You can have access to last feature / bug fix with docker dev image automatically build on tag dev
docker pull tchiotludo/akhq:dev
The dev jar is not publish on GitHub, you have 2 solutions to have the dev
jar :
Get it from docker image
docker pull tchiotludo/akhq:dev
docker run --rm --name=akhq -it tchiotludo/akhq:dev
docker cp akhq:/app/akhq.jar .
Or build it with a ./gradlew shadowJar
, the jar will be located here build/libs/akhq-*.jar
A docker-compose is provide to start a development environnement.
Just install docker & docker-compose, clone the repository and issue a simple docker-compose -f docker-compose-dev.yml up
to start a dev server.
Dev server is a java server & webpack-dev-server with live reload.
- Adeo
- Auchan Retail
- Bell
- BMW Group
- Boulanger
- GetYourGuide
- Klarna
- La Redoute
- Leroy Merlin
- NEXT Technologies
- Nuxeo
- Pipedrive
- BARMER
Many thanks to:
- JetBrains for their free OpenSource license.
- Apache, Apache Kafka, Kafka, and associated open source project names are trademarks of the Apache Software Foundation. AKHQ is not affiliated with, endorsed by, or otherwise associated with the Apache Software.
Apache 2.0 © tchiotludo