From 9711ba1bee9c5a6397245fbb73bd3cf9cd79866f Mon Sep 17 00:00:00 2001
From: Emanuele Sabellico <esabellico@confluent.io>
Date: Fri, 17 Jun 2022 12:29:10 +0200
Subject: [PATCH] KIP-140: ACL operations (#796)

Bindings for ACL operations:
CreateAcls
DescribeAcls
DeleteAcls
---
 CHANGELOG.md                                  |   1 +
 examples/.gitignore                           |   3 +
 examples/README.md                            |   3 +
 .../admin_create_acls/admin_create_acls.go    | 147 ++++
 .../admin_create_topic/admin_create_topic.go  |   9 +-
 .../admin_delete_acls/admin_delete_acls.go    | 147 ++++
 .../admin_delete_topics.go                    |   9 +-
 .../admin_describe_acls.go                    | 145 ++++
 .../admin_describe_config.go                  |  11 +-
 .../consumer_channel_example.go               |   9 +-
 examples/consumer_example/consumer_example.go |   9 +-
 .../consumer_offset_metadata.go               |  11 +-
 .../cooperative_consumer_example.go           |   9 +-
 .../idempotent_producer_example.go            |   9 +-
 .../oauthbearer_example.go                    |   9 +-
 .../producer_channel_example.go               |   9 +-
 examples/producer_example/producer_example.go |   9 +-
 examples/stats_example/stats_example.go       |   9 +-
 examples/transactions_example/generator.go    |   5 +-
 examples/transactions_example/processor.go    |   5 +-
 .../transactions_example.go                   |  11 +-
 examples/transactions_example/txnhelpers.go   |   5 +-
 examples/transactions_example/visualizer.go   |   7 +-
 kafka/adminapi.go                             | 587 +++++++++++++++
 kafka/adminapi_test.go                        | 348 +++++++++
 kafka/adminoptions.go                         |  33 +
 kafka/api.html                                | 680 ++++++++++++++++--
 kafka/error.go                                |  13 +-
 kafka/integration_test.go                     | 195 +++++
 29 files changed, 2328 insertions(+), 119 deletions(-)
 create mode 100644 examples/admin_create_acls/admin_create_acls.go
 create mode 100644 examples/admin_delete_acls/admin_delete_acls.go
 create mode 100644 examples/admin_describe_acls/admin_describe_acls.go

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6b93502f4..87c5fb1fc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 This is a feature release:
 
  * OAUTHBEARER OIDC support
+ * KIP-140 Admin API ACL support
  * Added MockCluster for functional testing of applications without the need
    for a real Kafka cluster (by @SourceFellows and @kkoehler, #729).
    See [examples/mock_cluster](examples/mock_cluster).
diff --git a/examples/.gitignore b/examples/.gitignore
index 408c6ca7b..001a47ba1 100644
--- a/examples/.gitignore
+++ b/examples/.gitignore
@@ -7,4 +7,7 @@ go-kafkacat/go-kafkacat
 admin_describe_config/admin_describe_config
 admin_delete_topics/admin_delete_topics
 admin_create_topic/admin_create_topic
+admin_create_acls/admin_create_acls
+admin_describe_acls/admin_describe_acls
+admin_delete_acls/admin_delete_acls
 stats_example/stats_example
diff --git a/examples/README.md b/examples/README.md
index 98776bc34..49b973636 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -1,6 +1,9 @@
 
 Examples:
 
+  admin_create_acls - Create Access Control Lists
+  admin_describe_acls - Find Access Control Lists using a filter
+  admin_delete_acls - Delete Access Control Lists using different filters
   consumer_channel_example - Channel based consumer
   consumer_example - Function & callback based consumer
   consumer_offset_metadata - Commit offset with metadata
diff --git a/examples/admin_create_acls/admin_create_acls.go b/examples/admin_create_acls/admin_create_acls.go
new file mode 100644
index 000000000..71b8bbf82
--- /dev/null
+++ b/examples/admin_create_acls/admin_create_acls.go
@@ -0,0 +1,147 @@
+// Create ACLs
+package main
+
+/**
+ * Copyright 2022 Confluent Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
+)
+
+// Parses a list of 7n arguments to a slice of n ACLBinding
+func parseACLBindings(args []string) (aclBindings kafka.ACLBindings, err error) {
+	nACLBindings := len(args) / 7
+	parsedACLBindings := make(kafka.ACLBindings, nACLBindings)
+
+	for i := 0; i < nACLBindings; i++ {
+		start := i * 7
+		resourceTypeString := args[start]
+		name := args[start+1]
+		resourcePatternTypeString := args[start+2]
+		principal := args[start+3]
+		host := args[start+4]
+		operationString := args[start+5]
+		permissionTypeString := args[start+6]
+
+		resourceType, errParse := kafka.ResourceTypeFromString(resourceTypeString)
+		if errParse != nil {
+			err = errParse
+			fmt.Printf("Invalid resource type: %s: %v\n", resourceTypeString, err)
+			return
+		}
+
+		resourcePatternType, errParse := kafka.ResourcePatternTypeFromString(resourcePatternTypeString)
+		if errParse != nil {
+			err = errParse
+			fmt.Printf("Invalid resource pattern type: %s: %v\n", resourcePatternTypeString, err)
+			return
+		}
+
+		operation, errParse := kafka.ACLOperationFromString(operationString)
+		if errParse != nil {
+			err = errParse
+			fmt.Printf("Invalid operation: %s: %v\n", operationString, err)
+			return
+		}
+
+		permissionType, errParse := kafka.ACLPermissionTypeFromString(permissionTypeString)
+		if errParse != nil {
+			err = errParse
+			fmt.Printf("Invalid permission type: %s: %v\n", permissionTypeString, err)
+			return
+		}
+
+		parsedACLBindings[i] = kafka.ACLBinding{
+			Type:                resourceType,
+			Name:                name,
+			ResourcePatternType: resourcePatternType,
+			Principal:           principal,
+			Host:                host,
+			Operation:           operation,
+			PermissionType:      permissionType,
+		}
+	}
+	aclBindings = parsedACLBindings
+	return
+}
+
+func main() {
+
+	// 2 + 7n arguments to create n ACL bindings
+	nArgs := len(os.Args)
+	aclBindingArgs := nArgs - 2
+	if aclBindingArgs <= 0 || aclBindingArgs%7 != 0 {
+		fmt.Fprintf(os.Stderr,
+			"Usage: %s <bootstrap-servers> <resource-type1> <resource-name1> <resource-pattern-type1> "+
+				"<principal1> <host1> <operation1> <permission-type1> ...\n",
+			os.Args[0])
+		os.Exit(1)
+	}
+
+	bootstrapServers := os.Args[1]
+	aclBindings, err := parseACLBindings(os.Args[2:])
+	if err != nil {
+		os.Exit(1)
+	}
+
+	// Create a new AdminClient.
+	// AdminClient can also be instantiated using an existing
+	// Producer or Consumer instance, see NewAdminClientFromProducer and
+	// NewAdminClientFromConsumer.
+	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
+	if err != nil {
+		fmt.Printf("Failed to create Admin client: %s\n", err)
+		os.Exit(1)
+	}
+
+	// Contexts are used to abort or limit the amount of time
+	// the Admin call blocks waiting for a result.
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Create ACLs on cluster.
+	// Set Admin options to wait for the request to finish (or at most 60s)
+	maxDur, err := time.ParseDuration("60s")
+	if err != nil {
+		panic("ParseDuration(60s)")
+	}
+	results, err := a.CreateACLs(
+		ctx,
+		aclBindings,
+		kafka.SetAdminRequestTimeout(maxDur),
+	)
+	if err != nil {
+		fmt.Printf("Failed to create ACLs: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Print results
+	for i, result := range results {
+		if result.Error.Code() == kafka.ErrNoError {
+			fmt.Printf("CreateACLs %d successful\n", i)
+		} else {
+			fmt.Printf("CreateACLs %d failed, error code: %s, message: %s\n",
+				i, result.Error.Code(), result.Error.String())
+		}
+	}
+
+	a.Close()
+}
diff --git a/examples/admin_create_topic/admin_create_topic.go b/examples/admin_create_topic/admin_create_topic.go
index 3acda269d..864e4c6be 100644
--- a/examples/admin_create_topic/admin_create_topic.go
+++ b/examples/admin_create_topic/admin_create_topic.go
@@ -20,22 +20,23 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"strconv"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) != 5 {
 		fmt.Fprintf(os.Stderr,
-			"Usage: %s <broker> <topic> <partition-count> <replication-factor>\n",
+			"Usage: %s <bootstrap-servers> <topic> <partition-count> <replication-factor>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	topic := os.Args[2]
 	numParts, err := strconv.Atoi(os.Args[3])
 	if err != nil {
@@ -52,7 +53,7 @@ func main() {
 	// AdminClient can also be instantiated using an existing
 	// Producer or Consumer instance, see NewAdminClientFromProducer and
 	// NewAdminClientFromConsumer.
-	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": broker})
+	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
 	if err != nil {
 		fmt.Printf("Failed to create Admin client: %s\n", err)
 		os.Exit(1)
diff --git a/examples/admin_delete_acls/admin_delete_acls.go b/examples/admin_delete_acls/admin_delete_acls.go
new file mode 100644
index 000000000..11802090f
--- /dev/null
+++ b/examples/admin_delete_acls/admin_delete_acls.go
@@ -0,0 +1,147 @@
+// Delete ACLs
+package main
+
+/**
+ * Copyright 2022 Confluent Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
+)
+
+// Parses a list of 7n arguments to a slice of n ACLBindingFilter
+func parseACLBindingFilters(args []string) (aclBindingFilters kafka.ACLBindingFilters, err error) {
+	nACLBindingFilters := len(args) / 7
+	parsedACLBindingFilters := make(kafka.ACLBindingFilters, nACLBindingFilters)
+
+	for i := 0; i < nACLBindingFilters; i++ {
+		start := i * 7
+		resourceTypeString := args[start]
+		name := args[start+1]
+		resourcePatternTypeString := args[start+2]
+		principal := args[start+3]
+		host := args[start+4]
+		operationString := args[start+5]
+		permissionTypeString := args[start+6]
+
+		var resourceType kafka.ResourceType
+		var resourcePatternType kafka.ResourcePatternType
+		var operation kafka.ACLOperation
+		var permissionType kafka.ACLPermissionType
+
+		resourceType, err = kafka.ResourceTypeFromString(resourceTypeString)
+		if err != nil {
+			fmt.Printf("Invalid resource type: %s: %v\n", resourceTypeString, err)
+			return
+		}
+		resourcePatternType, err = kafka.ResourcePatternTypeFromString(resourcePatternTypeString)
+		if err != nil {
+			fmt.Printf("Invalid resource pattern type: %s: %v\n", resourcePatternTypeString, err)
+			return
+		}
+
+		operation, err = kafka.ACLOperationFromString(operationString)
+		if err != nil {
+			fmt.Printf("Invalid operation: %s: %v\n", operationString, err)
+			return
+		}
+
+		permissionType, err = kafka.ACLPermissionTypeFromString(permissionTypeString)
+		if err != nil {
+			fmt.Printf("Invalid permission type: %s: %v\n", permissionTypeString, err)
+			return
+		}
+
+		parsedACLBindingFilters[i] = kafka.ACLBindingFilter{
+			Type:                resourceType,
+			Name:                name,
+			ResourcePatternType: resourcePatternType,
+			Principal:           principal,
+			Host:                host,
+			Operation:           operation,
+			PermissionType:      permissionType,
+		}
+	}
+	aclBindingFilters = parsedACLBindingFilters
+	return
+}
+
+func main() {
+
+	// 2 + 7n arguments to create n ACL binding filters
+	nArgs := len(os.Args)
+	aclBindingFilterArgs := nArgs - 2
+	if aclBindingFilterArgs <= 0 || aclBindingFilterArgs%7 != 0 {
+		fmt.Fprintf(os.Stderr,
+			"Usage: %s <bootstrap-servers> <resource-type1> <resource-name1> <resource-pattern-type1> "+
+				"<principal1> <host1> <operation1> <permission-type1> ...\n",
+			os.Args[0])
+		os.Exit(1)
+	}
+
+	bootstrapServers := os.Args[1]
+	aclBindingFilters, err := parseACLBindingFilters(os.Args[2:])
+	if err != nil {
+		os.Exit(1)
+	}
+
+	// Create a new AdminClient.
+	// AdminClient can also be instantiated using an existing
+	// Producer or Consumer instance, see NewAdminClientFromProducer and
+	// NewAdminClientFromConsumer.
+	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
+	if err != nil {
+		fmt.Printf("Failed to create Admin client: %s\n", err)
+		os.Exit(1)
+	}
+
+	// Contexts are used to abort or limit the amount of time
+	// the Admin call blocks waiting for a result.
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Create ACLs on cluster.
+	// Set Admin options to wait for the request to finish (or at most 60s)
+	maxDur, err := time.ParseDuration("60s")
+	if err != nil {
+		panic("ParseDuration(60s)")
+	}
+	results, err := a.DeleteACLs(
+		ctx,
+		aclBindingFilters,
+		kafka.SetAdminRequestTimeout(maxDur),
+	)
+	if err != nil {
+		fmt.Printf("Failed to delete ACLs: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Print results
+	for i, result := range results {
+		if result.Error.Code() == kafka.ErrNoError {
+			fmt.Printf("DeleteACLs %d successful, deleted: %+v\n", i, result.ACLBindings)
+		} else {
+			fmt.Printf("DeleteACLs %d failed, error code: %s, message: %s\n",
+				i, result.Error.Code(), result.Error.String())
+		}
+	}
+
+	a.Close()
+}
diff --git a/examples/admin_delete_topics/admin_delete_topics.go b/examples/admin_delete_topics/admin_delete_topics.go
index ac8120694..e944fe8e0 100644
--- a/examples/admin_delete_topics/admin_delete_topics.go
+++ b/examples/admin_delete_topics/admin_delete_topics.go
@@ -20,28 +20,29 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) < 3 {
 		fmt.Fprintf(os.Stderr,
-			"Usage: %s <broker> <topic1> <topic2> ..\n",
+			"Usage: %s <bootstrap-servers> <topic1> <topic2> ..\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	topics := os.Args[2:]
 
 	// Create a new AdminClient.
 	// AdminClient can also be instantiated using an existing
 	// Producer or Consumer instance, see NewAdminClientFromProducer and
 	// NewAdminClientFromConsumer.
-	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": broker})
+	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
 	if err != nil {
 		fmt.Printf("Failed to create Admin client: %s\n", err)
 		os.Exit(1)
diff --git a/examples/admin_describe_acls/admin_describe_acls.go b/examples/admin_describe_acls/admin_describe_acls.go
new file mode 100644
index 000000000..9a52bef4e
--- /dev/null
+++ b/examples/admin_describe_acls/admin_describe_acls.go
@@ -0,0 +1,145 @@
+// Describe ACLs
+package main
+
+/**
+ * Copyright 2022 Confluent Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
+)
+
+// Parses a list of 7n arguments to a slice of n ACLBindingFilter
+func parseACLBindingFilters(args []string) (aclBindingFilters kafka.ACLBindingFilters, err error) {
+	nACLBindingFilters := len(args) / 7
+	parsedACLBindingFilters := make(kafka.ACLBindingFilters, nACLBindingFilters)
+
+	for i := 0; i < nACLBindingFilters; i++ {
+		start := i * 7
+		resourceTypeString := args[start]
+		name := args[start+1]
+		resourcePatternTypeString := args[start+2]
+		principal := args[start+3]
+		host := args[start+4]
+		operationString := args[start+5]
+		permissionTypeString := args[start+6]
+
+		var resourceType kafka.ResourceType
+		var resourcePatternType kafka.ResourcePatternType
+		var operation kafka.ACLOperation
+		var permissionType kafka.ACLPermissionType
+
+		resourceType, err = kafka.ResourceTypeFromString(resourceTypeString)
+		if err != nil {
+			fmt.Printf("Invalid resource type: %s: %v\n", resourceTypeString, err)
+			return
+		}
+		resourcePatternType, err = kafka.ResourcePatternTypeFromString(resourcePatternTypeString)
+		if err != nil {
+			fmt.Printf("Invalid resource pattern type: %s: %v\n", resourcePatternTypeString, err)
+			return
+		}
+
+		operation, err = kafka.ACLOperationFromString(operationString)
+		if err != nil {
+			fmt.Printf("Invalid operation: %s: %v\n", operationString, err)
+			return
+		}
+
+		permissionType, err = kafka.ACLPermissionTypeFromString(permissionTypeString)
+		if err != nil {
+			fmt.Printf("Invalid permission type: %s: %v\n", permissionTypeString, err)
+			return
+		}
+
+		parsedACLBindingFilters[i] = kafka.ACLBindingFilter{
+			Type:                resourceType,
+			Name:                name,
+			ResourcePatternType: resourcePatternType,
+			Principal:           principal,
+			Host:                host,
+			Operation:           operation,
+			PermissionType:      permissionType,
+		}
+	}
+	aclBindingFilters = parsedACLBindingFilters
+	return
+}
+
+func main() {
+
+	// 2 + 7 arguments to create an ACL binding filter
+	nArgs := len(os.Args)
+	aclBindingFilterArgs := nArgs - 2
+	if aclBindingFilterArgs != 7 {
+		fmt.Fprintf(os.Stderr,
+			"Usage: %s <bootstrap-servers> <resource-type> <resource-name> <resource-pattern-type> "+
+				"<principal> <host> <operation> <permission-type> ...\n",
+			os.Args[0])
+		os.Exit(1)
+	}
+
+	bootstrapServers := os.Args[1]
+	aclBindingFilters, err := parseACLBindingFilters(os.Args[2:])
+	if err != nil {
+		os.Exit(1)
+	}
+
+	// Create a new AdminClient.
+	// AdminClient can also be instantiated using an existing
+	// Producer or Consumer instance, see NewAdminClientFromProducer and
+	// NewAdminClientFromConsumer.
+	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
+	if err != nil {
+		fmt.Printf("Failed to create Admin client: %s\n", err)
+		os.Exit(1)
+	}
+
+	// Contexts are used to abort or limit the amount of time
+	// the Admin call blocks waiting for a result.
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Describe ACLs on cluster.
+	// Set Admin options to wait for the request to finish (or at most 60s)
+	maxDur, err := time.ParseDuration("60s")
+	if err != nil {
+		panic("ParseDuration(60s)")
+	}
+	result, err := a.DescribeACLs(
+		ctx,
+		aclBindingFilters[0],
+		kafka.SetAdminRequestTimeout(maxDur),
+	)
+	if err != nil {
+		fmt.Printf("Failed to describe ACLs: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Print results
+	if result.Error.Code() == kafka.ErrNoError {
+		fmt.Printf("DescribeACLs successful, result: %+v\n", result.ACLBindings)
+	} else {
+		fmt.Printf("DescribeACLs failed, error code: %s, message: %s\n",
+			result.Error.Code(), result.Error.String())
+	}
+
+	a.Close()
+}
diff --git a/examples/admin_describe_config/admin_describe_config.go b/examples/admin_describe_config/admin_describe_config.go
index 3963584a3..f4e08f296 100644
--- a/examples/admin_describe_config/admin_describe_config.go
+++ b/examples/admin_describe_config/admin_describe_config.go
@@ -20,25 +20,26 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) != 4 {
 		fmt.Fprintf(os.Stderr,
-			"Usage: %s <broker> <resource-type> <resource-name>\n"+
+			"Usage: %s <bootstrap-servers> <resource-type> <resource-name>\n"+
 				"\n"+
-				" <broker> - CSV list of bootstrap brokers\n"+
+				" <bootstrap-servers> - CSV list of bootstrap brokers\n"+
 				" <resource-type> - any, broker, topic, group\n"+
 				" <resource-name> - broker id or topic name\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	resourceType, err := kafka.ResourceTypeFromString(os.Args[2])
 	if err != nil {
 		fmt.Printf("Invalid resource type: %s\n", os.Args[2])
@@ -50,7 +51,7 @@ func main() {
 	// AdminClient can also be instantiated using an existing
 	// Producer or Consumer instance, see NewAdminClientFromProducer and
 	// NewAdminClientFromConsumer.
-	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": broker})
+	a, err := kafka.NewAdminClient(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
 	if err != nil {
 		fmt.Printf("Failed to create Admin client: %s\n", err)
 		os.Exit(1)
diff --git a/examples/consumer_channel_example/consumer_channel_example.go b/examples/consumer_channel_example/consumer_channel_example.go
index a1b2c1ed4..c2304657f 100644
--- a/examples/consumer_channel_example/consumer_channel_example.go
+++ b/examples/consumer_channel_example/consumer_channel_example.go
@@ -19,21 +19,22 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"os/signal"
 	"syscall"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) < 4 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> <group> <topics..>\n",
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> <group> <topics..>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	group := os.Args[2]
 	topics := os.Args[3:]
 
@@ -41,7 +42,7 @@ func main() {
 	signal.Notify(sigchan, syscall.SIGINT, syscall.SIGTERM)
 
 	c, err := kafka.NewConsumer(&kafka.ConfigMap{
-		"bootstrap.servers":               broker,
+		"bootstrap.servers":               bootstrapServers,
 		"group.id":                        group,
 		"session.timeout.ms":              6000,
 		"go.events.channel.enable":        true,
diff --git a/examples/consumer_example/consumer_example.go b/examples/consumer_example/consumer_example.go
index a0157b664..ee3b2882a 100644
--- a/examples/consumer_example/consumer_example.go
+++ b/examples/consumer_example/consumer_example.go
@@ -22,28 +22,29 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"os/signal"
 	"syscall"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) < 4 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> <group> <topics..>\n",
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> <group> <topics..>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	group := os.Args[2]
 	topics := os.Args[3:]
 	sigchan := make(chan os.Signal, 1)
 	signal.Notify(sigchan, syscall.SIGINT, syscall.SIGTERM)
 
 	c, err := kafka.NewConsumer(&kafka.ConfigMap{
-		"bootstrap.servers": broker,
+		"bootstrap.servers": bootstrapServers,
 		// Avoid connecting to IPv6 brokers:
 		// This is needed for the ErrAllBrokersDown show-case below
 		// when using localhost brokers on OSX, since the OSX resolver
diff --git a/examples/consumer_offset_metadata/consumer_offset_metadata.go b/examples/consumer_offset_metadata/consumer_offset_metadata.go
index 9f678a6a6..3f059ad0c 100644
--- a/examples/consumer_offset_metadata/consumer_offset_metadata.go
+++ b/examples/consumer_offset_metadata/consumer_offset_metadata.go
@@ -23,22 +23,23 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"strconv"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) != 7 && len(os.Args) != 5 {
 		fmt.Fprintf(os.Stderr, `Usage:
-- commit offset with metadata: %s <broker> <group> <topic> <partition> <offset> "<metadata>"
-- show partition offset: %s <broker> <group> <topic> <partition>`,
+- commit offset with metadata: %s <bootstrap-servers> <group> <topic> <partition> <offset> "<metadata>"
+- show partition offset: %s <bootstrap-servers> <group> <topic> <partition>`,
 			os.Args[0], os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	group := os.Args[2]
 	topic := os.Args[3]
 	partition, err := strconv.Atoi(os.Args[4])
@@ -48,7 +49,7 @@ func main() {
 	}
 
 	c, err := kafka.NewConsumer(&kafka.ConfigMap{
-		"bootstrap.servers": broker,
+		"bootstrap.servers": bootstrapServers,
 		"group.id":          group,
 	})
 
diff --git a/examples/cooperative_consumer_example/cooperative_consumer_example.go b/examples/cooperative_consumer_example/cooperative_consumer_example.go
index d63be047e..2facabfa6 100644
--- a/examples/cooperative_consumer_example/cooperative_consumer_example.go
+++ b/examples/cooperative_consumer_example/cooperative_consumer_example.go
@@ -21,28 +21,29 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"os/signal"
 	"syscall"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) < 4 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> <group> <topics..>\n",
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> <group> <topics..>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	group := os.Args[2]
 	topics := os.Args[3:]
 	sigchan := make(chan os.Signal, 1)
 	signal.Notify(sigchan, syscall.SIGINT, syscall.SIGTERM)
 
 	c, err := kafka.NewConsumer(&kafka.ConfigMap{
-		"bootstrap.servers": broker,
+		"bootstrap.servers": bootstrapServers,
 		// Avoid connecting to IPv6 brokers:
 		// This is needed for the ErrAllBrokersDown show-case below
 		// when using localhost brokers on OSX, since the OSX resolver
diff --git a/examples/idempotent_producer_example/idempotent_producer_example.go b/examples/idempotent_producer_example/idempotent_producer_example.go
index a95f551f8..c20f2f969 100644
--- a/examples/idempotent_producer_example/idempotent_producer_example.go
+++ b/examples/idempotent_producer_example/idempotent_producer_example.go
@@ -29,9 +29,10 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 var run = true
@@ -39,16 +40,16 @@ var run = true
 func main() {
 
 	if len(os.Args) != 3 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> <topic>\n",
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> <topic>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	topic := os.Args[2]
 
 	p, err := kafka.NewProducer(&kafka.ConfigMap{
-		"bootstrap.servers": broker,
+		"bootstrap.servers": bootstrapServers,
 		// Enable the Idempotent Producer
 		"enable.idempotence": true})
 
diff --git a/examples/oauthbearer_example/oauthbearer_example.go b/examples/oauthbearer_example/oauthbearer_example.go
index e0a708508..0db48d2a6 100644
--- a/examples/oauthbearer_example/oauthbearer_example.go
+++ b/examples/oauthbearer_example/oauthbearer_example.go
@@ -21,10 +21,11 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"regexp"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 var (
@@ -116,17 +117,17 @@ func retrieveUnsecuredToken(e kafka.OAuthBearerTokenRefresh) (kafka.OAuthBearerT
 func main() {
 
 	if len(os.Args) != 3 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> \"[principalClaimName=<claimName>] principal=<value>\"\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> \"[principalClaimName=<claimName>] principal=<value>\"\n", os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	oauthConf := os.Args[2]
 
 	// You'll probably need to modify this configuration to
 	// match your environment.
 	config := kafka.ConfigMap{
-		"bootstrap.servers":       broker,
+		"bootstrap.servers":       bootstrapServers,
 		"security.protocol":       "SASL_PLAINTEXT",
 		"sasl.mechanisms":         "OAUTHBEARER",
 		"sasl.oauthbearer.config": oauthConf,
diff --git a/examples/producer_channel_example/producer_channel_example.go b/examples/producer_channel_example/producer_channel_example.go
index c06dc9251..5b7e18135 100644
--- a/examples/producer_channel_example/producer_channel_example.go
+++ b/examples/producer_channel_example/producer_channel_example.go
@@ -19,22 +19,23 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) != 3 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> <topic>\n",
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> <topic>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	topic := os.Args[2]
 
-	p, err := kafka.NewProducer(&kafka.ConfigMap{"bootstrap.servers": broker})
+	p, err := kafka.NewProducer(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
 
 	if err != nil {
 		fmt.Printf("Failed to create producer: %s\n", err)
diff --git a/examples/producer_example/producer_example.go b/examples/producer_example/producer_example.go
index 62c284144..6751e14aa 100644
--- a/examples/producer_example/producer_example.go
+++ b/examples/producer_example/producer_example.go
@@ -19,22 +19,23 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) != 3 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> <topic>\n",
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> <topic>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	topic := os.Args[2]
 
-	p, err := kafka.NewProducer(&kafka.ConfigMap{"bootstrap.servers": broker})
+	p, err := kafka.NewProducer(&kafka.ConfigMap{"bootstrap.servers": bootstrapServers})
 
 	if err != nil {
 		fmt.Printf("Failed to create producer: %s\n", err)
diff --git a/examples/stats_example/stats_example.go b/examples/stats_example/stats_example.go
index cd795efe8..9d186a6d4 100644
--- a/examples/stats_example/stats_example.go
+++ b/examples/stats_example/stats_example.go
@@ -24,28 +24,29 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"os"
 	"os/signal"
 	"syscall"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 func main() {
 
 	if len(os.Args) < 4 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker> <group> <topics..>\n",
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers> <group> <topics..>\n",
 			os.Args[0])
 		os.Exit(1)
 	}
 
-	broker := os.Args[1]
+	bootstrapServers := os.Args[1]
 	group := os.Args[2]
 	topics := os.Args[3:]
 	sigchan := make(chan os.Signal, 1)
 	signal.Notify(sigchan, syscall.SIGINT, syscall.SIGTERM)
 
 	c, err := kafka.NewConsumer(&kafka.ConfigMap{
-		"bootstrap.servers":  broker,
+		"bootstrap.servers":  bootstrapServers,
 		"group.id":           group,
 		"session.timeout.ms": 6000,
 		"auto.offset.reset":  "earliest",
diff --git a/examples/transactions_example/generator.go b/examples/transactions_example/generator.go
index 95296e3b5..d2184da6c 100644
--- a/examples/transactions_example/generator.go
+++ b/examples/transactions_example/generator.go
@@ -22,10 +22,11 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"math/rand"
 	"sync"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 // Intersections this application will process.
@@ -75,7 +76,7 @@ func generateInputMessages(wg *sync.WaitGroup, termChan chan bool) {
 
 	config := &kafka.ConfigMap{
 		"client.id":              "generator",
-		"bootstrap.servers":      brokers,
+		"bootstrap.servers":      bootstrapServers,
 		"enable.idempotence":     true,
 		"go.logs.channel.enable": true,
 		"go.logs.channel":        logsChan,
diff --git a/examples/transactions_example/processor.go b/examples/transactions_example/processor.go
index 201c25745..495e01cfa 100644
--- a/examples/transactions_example/processor.go
+++ b/examples/transactions_example/processor.go
@@ -24,9 +24,10 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"sync"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 // The processor's consumer group id.
@@ -267,7 +268,7 @@ func trafficLightProcessor(wg *sync.WaitGroup, termChan chan bool) {
 
 	consumerConfig := &kafka.ConfigMap{
 		"client.id":         "processor",
-		"bootstrap.servers": brokers,
+		"bootstrap.servers": bootstrapServers,
 		"group.id":          processorGroupID,
 		"auto.offset.reset": "earliest",
 		// Consumer used for input to a transactional processor
diff --git a/examples/transactions_example/transactions_example.go b/examples/transactions_example/transactions_example.go
index 447fe9fb1..af1450cbe 100644
--- a/examples/transactions_example/transactions_example.go
+++ b/examples/transactions_example/transactions_example.go
@@ -20,13 +20,14 @@ package main
 
 import (
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"math/rand"
 	"os"
 	"os/signal"
 	"sync"
 	"syscall"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 // Set to false to disable visualization, useful for troubleshooting.
@@ -36,8 +37,8 @@ var withVisualizer = true
 var inputTopic = "go-transactions-example-ingress-cars"
 var outputTopic = "go-transactions-example-traffic-light-states"
 
-// brokers holds the bootstrap servers
-var brokers string
+// bootstrapServers holds the bootstrap servers
+var bootstrapServers string
 
 // logsChan is the common log channel for all Kafka client instances.
 var logsChan chan kafka.LogEvent
@@ -65,11 +66,11 @@ func logReader(wg *sync.WaitGroup, termChan chan bool) {
 
 func main() {
 	if len(os.Args) != 2 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <broker>\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <bootstrap-servers>\n", os.Args[0])
 		os.Exit(1)
 	}
 
-	brokers = os.Args[1]
+	bootstrapServers = os.Args[1]
 
 	rand.Seed(time.Now().Unix())
 
diff --git a/examples/transactions_example/txnhelpers.go b/examples/transactions_example/txnhelpers.go
index 6a5055477..09de2c7f4 100644
--- a/examples/transactions_example/txnhelpers.go
+++ b/examples/transactions_example/txnhelpers.go
@@ -21,8 +21,9 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
 )
 
 // createTransactionalProducer creates a transactional producer for the given
@@ -30,7 +31,7 @@ import (
 func createTransactionalProducer(toppar kafka.TopicPartition) error {
 	producerConfig := &kafka.ConfigMap{
 		"client.id":              fmt.Sprintf("txn-p%d", toppar.Partition),
-		"bootstrap.servers":      brokers,
+		"bootstrap.servers":      bootstrapServers,
 		"transactional.id":       fmt.Sprintf("go-transactions-example-p%d", int(toppar.Partition)),
 		"go.logs.channel.enable": true,
 		"go.logs.channel":        logsChan,
diff --git a/examples/transactions_example/visualizer.go b/examples/transactions_example/visualizer.go
index 260f02d79..04c8610ac 100644
--- a/examples/transactions_example/visualizer.go
+++ b/examples/transactions_example/visualizer.go
@@ -23,12 +23,13 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/confluentinc/confluent-kafka-go/kafka"
-	"github.com/gdamore/tcell"
 	"os"
 	"sort"
 	"sync"
 	"time"
+
+	"github.com/confluentinc/confluent-kafka-go/kafka"
+	"github.com/gdamore/tcell"
 )
 
 // Height and width (terminal characters) per intersection frame.
@@ -331,7 +332,7 @@ func trafficLightVisualizer(wg *sync.WaitGroup, termChan chan bool) {
 
 	consumerConfig := &kafka.ConfigMap{
 		"client.id":              "visualizer",
-		"bootstrap.servers":      brokers,
+		"bootstrap.servers":      bootstrapServers,
 		"group.id":               processorGroupID + "_visualizer",
 		"auto.offset.reset":      "earliest",
 		"go.logs.channel.enable": true,
diff --git a/kafka/adminapi.go b/kafka/adminapi.go
index ef3b31d55..e4371eed5 100644
--- a/kafka/adminapi.go
+++ b/kafka/adminapi.go
@@ -48,6 +48,27 @@ ConfigEntry_by_idx (const rd_kafka_ConfigEntry_t **entries, size_t cnt, size_t i
       return NULL;
     return entries[idx];
 }
+
+static const rd_kafka_acl_result_t *
+acl_result_by_idx (const rd_kafka_acl_result_t **acl_results, size_t cnt, size_t idx) {
+    if (idx >= cnt)
+      return NULL;
+    return acl_results[idx];
+}
+
+static const rd_kafka_DeleteAcls_result_response_t *
+DeleteAcls_result_response_by_idx (const rd_kafka_DeleteAcls_result_response_t **delete_acls_result_responses, size_t cnt, size_t idx) {
+    if (idx >= cnt)
+      return NULL;
+    return delete_acls_result_responses[idx];
+}
+
+static const rd_kafka_AclBinding_t *
+AclBinding_by_idx (const rd_kafka_AclBinding_t **acl_bindings, size_t cnt, size_t idx) {
+    if (idx >= cnt)
+      return NULL;
+    return acl_bindings[idx];
+}
 */
 import "C"
 
@@ -312,6 +333,225 @@ func (c ConfigResourceResult) String() string {
 	return fmt.Sprintf("ResourceResult(%s, %s, %d config(s))", c.Type, c.Name, len(c.Config))
 }
 
+// ResourcePatternType enumerates the different types of Kafka resource patterns.
+type ResourcePatternType int
+
+const (
+	// ResourcePatternTypeUnknown is a resource pattern type not known or not set.
+	ResourcePatternTypeUnknown = ResourcePatternType(C.RD_KAFKA_RESOURCE_PATTERN_UNKNOWN)
+	// ResourcePatternTypeAny matches any resource, used for lookups.
+	ResourcePatternTypeAny = ResourcePatternType(C.RD_KAFKA_RESOURCE_PATTERN_ANY)
+	// ResourcePatternTypeMatch will perform pattern matching
+	ResourcePatternTypeMatch = ResourcePatternType(C.RD_KAFKA_RESOURCE_PATTERN_MATCH)
+	// ResourcePatternTypeLiteral matches a literal resource name
+	ResourcePatternTypeLiteral = ResourcePatternType(C.RD_KAFKA_RESOURCE_PATTERN_LITERAL)
+	// ResourcePatternTypePrefixed matches a prefixed resource name
+	ResourcePatternTypePrefixed = ResourcePatternType(C.RD_KAFKA_RESOURCE_PATTERN_PREFIXED)
+)
+
+// String returns the human-readable representation of a ResourcePatternType
+func (t ResourcePatternType) String() string {
+	return C.GoString(C.rd_kafka_ResourcePatternType_name(C.rd_kafka_ResourcePatternType_t(t)))
+}
+
+// ResourcePatternTypeFromString translates a resource pattern type name to
+// a ResourcePatternType value.
+func ResourcePatternTypeFromString(patternTypeString string) (ResourcePatternType, error) {
+	switch strings.ToUpper(patternTypeString) {
+	case "ANY":
+		return ResourcePatternTypeAny, nil
+	case "MATCH":
+		return ResourcePatternTypeMatch, nil
+	case "LITERAL":
+		return ResourcePatternTypeLiteral, nil
+	case "PREFIXED":
+		return ResourcePatternTypePrefixed, nil
+	default:
+		return ResourcePatternTypeUnknown, NewError(ErrInvalidArg, "Unknown resource pattern type", false)
+	}
+}
+
+// ACLOperation enumerates the different types of ACL operation.
+type ACLOperation int
+
+const (
+	// ACLOperationUnknown represents an unknown or unset operation
+	ACLOperationUnknown = ACLOperation(C.RD_KAFKA_ACL_OPERATION_UNKNOWN)
+	// ACLOperationAny in a filter, matches any ACLOperation
+	ACLOperationAny = ACLOperation(C.RD_KAFKA_ACL_OPERATION_ANY)
+	// ACLOperationAll represents all the operations
+	ACLOperationAll = ACLOperation(C.RD_KAFKA_ACL_OPERATION_ALL)
+	// ACLOperationRead a read operation
+	ACLOperationRead = ACLOperation(C.RD_KAFKA_ACL_OPERATION_READ)
+	// ACLOperationWrite represents a write operation
+	ACLOperationWrite = ACLOperation(C.RD_KAFKA_ACL_OPERATION_WRITE)
+	// ACLOperationCreate represents a create operation
+	ACLOperationCreate = ACLOperation(C.RD_KAFKA_ACL_OPERATION_CREATE)
+	// ACLOperationDelete represents a delete operation
+	ACLOperationDelete = ACLOperation(C.RD_KAFKA_ACL_OPERATION_DELETE)
+	// ACLOperationAlter represents an alter operation
+	ACLOperationAlter = ACLOperation(C.RD_KAFKA_ACL_OPERATION_ALTER)
+	// ACLOperationDescribe represents a describe operation
+	ACLOperationDescribe = ACLOperation(C.RD_KAFKA_ACL_OPERATION_DESCRIBE)
+	// ACLOperationClusterAction represents a cluster action operation
+	ACLOperationClusterAction = ACLOperation(C.RD_KAFKA_ACL_OPERATION_CLUSTER_ACTION)
+	// ACLOperationDescribeConfigs represents a describe configs operation
+	ACLOperationDescribeConfigs = ACLOperation(C.RD_KAFKA_ACL_OPERATION_DESCRIBE_CONFIGS)
+	// ACLOperationAlterConfigs represents an alter configs operation
+	ACLOperationAlterConfigs = ACLOperation(C.RD_KAFKA_ACL_OPERATION_ALTER_CONFIGS)
+	// ACLOperationIdempotentWrite represents an idempotent write operation
+	ACLOperationIdempotentWrite = ACLOperation(C.RD_KAFKA_ACL_OPERATION_IDEMPOTENT_WRITE)
+)
+
+// String returns the human-readable representation of an ACLOperation
+func (o ACLOperation) String() string {
+	return C.GoString(C.rd_kafka_AclOperation_name(C.rd_kafka_AclOperation_t(o)))
+}
+
+// ACLOperationFromString translates a ACL operation name to
+// a ACLOperation value.
+func ACLOperationFromString(aclOperationString string) (ACLOperation, error) {
+	switch strings.ToUpper(aclOperationString) {
+	case "ANY":
+		return ACLOperationAny, nil
+	case "ALL":
+		return ACLOperationAll, nil
+	case "READ":
+		return ACLOperationRead, nil
+	case "WRITE":
+		return ACLOperationWrite, nil
+	case "CREATE":
+		return ACLOperationCreate, nil
+	case "DELETE":
+		return ACLOperationDelete, nil
+	case "ALTER":
+		return ACLOperationAlter, nil
+	case "DESCRIBE":
+		return ACLOperationDescribe, nil
+	case "CLUSTER_ACTION":
+		return ACLOperationClusterAction, nil
+	case "DESCRIBE_CONFIGS":
+		return ACLOperationDescribeConfigs, nil
+	case "ALTER_CONFIGS":
+		return ACLOperationAlterConfigs, nil
+	case "IDEMPOTENT_WRITE":
+		return ACLOperationIdempotentWrite, nil
+	default:
+		return ACLOperationUnknown, NewError(ErrInvalidArg, "Unknown ACL operation", false)
+	}
+}
+
+// ACLPermissionType enumerates the different types of ACL permission types.
+type ACLPermissionType int
+
+const (
+	// ACLPermissionTypeUnknown represents an unknown ACLPermissionType
+	ACLPermissionTypeUnknown = ACLPermissionType(C.RD_KAFKA_ACL_PERMISSION_TYPE_UNKNOWN)
+	// ACLPermissionTypeAny in a filter, matches any ACLPermissionType
+	ACLPermissionTypeAny = ACLPermissionType(C.RD_KAFKA_ACL_PERMISSION_TYPE_ANY)
+	// ACLPermissionTypeDeny disallows access
+	ACLPermissionTypeDeny = ACLPermissionType(C.RD_KAFKA_ACL_PERMISSION_TYPE_DENY)
+	// ACLPermissionTypeAllow grants access
+	ACLPermissionTypeAllow = ACLPermissionType(C.RD_KAFKA_ACL_PERMISSION_TYPE_ALLOW)
+)
+
+// String returns the human-readable representation of an ACLPermissionType
+func (o ACLPermissionType) String() string {
+	return C.GoString(C.rd_kafka_AclPermissionType_name(C.rd_kafka_AclPermissionType_t(o)))
+}
+
+// ACLPermissionTypeFromString translates a ACL permission type name to
+// a ACLPermissionType value.
+func ACLPermissionTypeFromString(aclPermissionTypeString string) (ACLPermissionType, error) {
+	switch strings.ToUpper(aclPermissionTypeString) {
+	case "ANY":
+		return ACLPermissionTypeAny, nil
+	case "DENY":
+		return ACLPermissionTypeDeny, nil
+	case "ALLOW":
+		return ACLPermissionTypeAllow, nil
+	default:
+		return ACLPermissionTypeUnknown, NewError(ErrInvalidArg, "Unknown ACL permission type", false)
+	}
+}
+
+// ACLBinding specifies the operation and permission type for a specific principal
+// over one or more resources of the same type. Used by `AdminClient.CreateACLs`,
+// returned by `AdminClient.DescribeACLs` and `AdminClient.DeleteACLs`.
+type ACLBinding struct {
+	Type ResourceType // The resource type.
+	// The resource name, which depends on the resource type.
+	// For ResourceBroker the resource name is the broker id.
+	Name                string
+	ResourcePatternType ResourcePatternType // The resource pattern, relative to the name.
+	Principal           string              // The principal this ACLBinding refers to.
+	Host                string              // The host that the call is allowed to come from.
+	Operation           ACLOperation        // The operation/s specified by this binding.
+	PermissionType      ACLPermissionType   // The permission type for the specified operation.
+}
+
+// ACLBindingFilter specifies a filter used to return a list of ACL bindings matching some or all of its attributes.
+// Used by `AdminClient.DescribeACLs` and `AdminClient.DeleteACLs`.
+type ACLBindingFilter = ACLBinding
+
+// ACLBindings is a slice of ACLBinding that also implements
+// the sort interface
+type ACLBindings []ACLBinding
+
+// ACLBindingFilters is a slice of ACLBindingFilter that also implements
+// the sort interface
+type ACLBindingFilters []ACLBindingFilter
+
+func (a ACLBindings) Len() int {
+	return len(a)
+}
+
+func (a ACLBindings) Less(i, j int) bool {
+	if a[i].Type != a[j].Type {
+		return a[i].Type < a[j].Type
+	}
+	if a[i].Name != a[j].Name {
+		return a[i].Name < a[j].Name
+	}
+	if a[i].ResourcePatternType != a[j].ResourcePatternType {
+		return a[i].ResourcePatternType < a[j].ResourcePatternType
+	}
+	if a[i].Principal != a[j].Principal {
+		return a[i].Principal < a[j].Principal
+	}
+	if a[i].Host != a[j].Host {
+		return a[i].Host < a[j].Host
+	}
+	if a[i].Operation != a[j].Operation {
+		return a[i].Operation < a[j].Operation
+	}
+	if a[i].PermissionType != a[j].PermissionType {
+		return a[i].PermissionType < a[j].PermissionType
+	}
+	return true
+}
+
+func (a ACLBindings) Swap(i, j int) {
+	a[i], a[j] = a[j], a[i]
+}
+
+// CreateACLResult provides create ACL error information.
+type CreateACLResult struct {
+	// Error, if any, of result. Check with `Error.Code() != ErrNoError`.
+	Error Error
+}
+
+// DescribeACLsResult provides describe ACLs result or error information.
+type DescribeACLsResult struct {
+	// Slice of ACL bindings matching the provided filter
+	ACLBindings ACLBindings
+	// Error, if any, of result. Check with `Error.Code() != ErrNoError`.
+	Error Error
+}
+
+// DeleteACLsResult provides delete ACLs result or error information.
+type DeleteACLsResult = DescribeACLsResult
+
 // waitResult waits for a result event on cQueue or the ctx to be cancelled, whichever happens
 // first.
 // The returned result event is checked for errors its error is returned if set.
@@ -950,6 +1190,353 @@ func (a *AdminClient) SetOAuthBearerTokenFailure(errstr string) error {
 	return a.handle.setOAuthBearerTokenFailure(errstr)
 }
 
+// aclBindingToC converts a Go ACLBinding struct to a C rd_kafka_AclBinding_t
+func (a *AdminClient) aclBindingToC(aclBinding *ACLBinding, cErrstr *C.char, cErrstrSize C.size_t) (result *C.rd_kafka_AclBinding_t, err error) {
+	var cName, cPrincipal, cHost *C.char
+	cName, cPrincipal, cHost = nil, nil, nil
+	if len(aclBinding.Name) > 0 {
+		cName = C.CString(aclBinding.Name)
+		defer C.free(unsafe.Pointer(cName))
+	}
+	if len(aclBinding.Principal) > 0 {
+		cPrincipal = C.CString(aclBinding.Principal)
+		defer C.free(unsafe.Pointer(cPrincipal))
+	}
+	if len(aclBinding.Host) > 0 {
+		cHost = C.CString(aclBinding.Host)
+		defer C.free(unsafe.Pointer(cHost))
+	}
+
+	result = C.rd_kafka_AclBinding_new(
+		C.rd_kafka_ResourceType_t(aclBinding.Type),
+		cName,
+		C.rd_kafka_ResourcePatternType_t(aclBinding.ResourcePatternType),
+		cPrincipal,
+		cHost,
+		C.rd_kafka_AclOperation_t(aclBinding.Operation),
+		C.rd_kafka_AclPermissionType_t(aclBinding.PermissionType),
+		cErrstr,
+		cErrstrSize,
+	)
+	if result == nil {
+		err = newErrorFromString(ErrInvalidArg,
+			fmt.Sprintf("Invalid arguments for ACL binding %v: %v", aclBinding, C.GoString(cErrstr)))
+	}
+	return
+}
+
+// aclBindingFilterToC converts a Go ACLBindingFilter struct to a C rd_kafka_AclBindingFilter_t
+func (a *AdminClient) aclBindingFilterToC(aclBindingFilter *ACLBindingFilter, cErrstr *C.char, cErrstrSize C.size_t) (result *C.rd_kafka_AclBindingFilter_t, err error) {
+	var cName, cPrincipal, cHost *C.char
+	cName, cPrincipal, cHost = nil, nil, nil
+	if len(aclBindingFilter.Name) > 0 {
+		cName = C.CString(aclBindingFilter.Name)
+		defer C.free(unsafe.Pointer(cName))
+	}
+	if len(aclBindingFilter.Principal) > 0 {
+		cPrincipal = C.CString(aclBindingFilter.Principal)
+		defer C.free(unsafe.Pointer(cPrincipal))
+	}
+	if len(aclBindingFilter.Host) > 0 {
+		cHost = C.CString(aclBindingFilter.Host)
+		defer C.free(unsafe.Pointer(cHost))
+	}
+
+	result = C.rd_kafka_AclBindingFilter_new(
+		C.rd_kafka_ResourceType_t(aclBindingFilter.Type),
+		cName,
+		C.rd_kafka_ResourcePatternType_t(aclBindingFilter.ResourcePatternType),
+		cPrincipal,
+		cHost,
+		C.rd_kafka_AclOperation_t(aclBindingFilter.Operation),
+		C.rd_kafka_AclPermissionType_t(aclBindingFilter.PermissionType),
+		cErrstr,
+		cErrstrSize,
+	)
+	if result == nil {
+		err = newErrorFromString(ErrInvalidArg,
+			fmt.Sprintf("Invalid arguments for ACL binding filter %v: %v", aclBindingFilter, C.GoString(cErrstr)))
+	}
+	return
+}
+
+// cToACLBinding converts a C rd_kafka_AclBinding_t to Go ACLBinding
+func (a *AdminClient) cToACLBinding(cACLBinding *C.rd_kafka_AclBinding_t) ACLBinding {
+	return ACLBinding{
+		ResourceType(C.rd_kafka_AclBinding_restype(cACLBinding)),
+		C.GoString(C.rd_kafka_AclBinding_name(cACLBinding)),
+		ResourcePatternType(C.rd_kafka_AclBinding_resource_pattern_type(cACLBinding)),
+		C.GoString(C.rd_kafka_AclBinding_principal(cACLBinding)),
+		C.GoString(C.rd_kafka_AclBinding_host(cACLBinding)),
+		ACLOperation(C.rd_kafka_AclBinding_operation(cACLBinding)),
+		ACLPermissionType(C.rd_kafka_AclBinding_permission_type(cACLBinding)),
+	}
+}
+
+// cToACLBindings converts a C rd_kafka_AclBinding_t list to Go ACLBindings
+func (a *AdminClient) cToACLBindings(cACLBindings **C.rd_kafka_AclBinding_t, aclCnt C.size_t) (result ACLBindings) {
+	result = make(ACLBindings, aclCnt)
+	for i := uint(0); i < uint(aclCnt); i++ {
+		cACLBinding := C.AclBinding_by_idx(cACLBindings, aclCnt, C.size_t(i))
+		if cACLBinding == nil {
+			panic("AclBinding_by_idx must not return nil")
+		}
+		result[i] = a.cToACLBinding(cACLBinding)
+	}
+	return
+}
+
+// cToCreateACLResults converts a C acl_result_t array to Go CreateACLResult list.
+func (a *AdminClient) cToCreateACLResults(cCreateAclsRes **C.rd_kafka_acl_result_t, aclCnt C.size_t) (result []CreateACLResult, err error) {
+	result = make([]CreateACLResult, uint(aclCnt))
+
+	for i := uint(0); i < uint(aclCnt); i++ {
+		cCreateACLRes := C.acl_result_by_idx(cCreateAclsRes, aclCnt, C.size_t(i))
+		if cCreateACLRes != nil {
+			cCreateACLError := C.rd_kafka_acl_result_error(cCreateACLRes)
+			result[i].Error = newErrorFromCError(cCreateACLError)
+		}
+	}
+
+	return result, nil
+}
+
+// cToDescribeACLsResult converts a C rd_kafka_event_t to a Go DescribeAclsResult struct.
+func (a *AdminClient) cToDescribeACLsResult(rkev *C.rd_kafka_event_t) (result *DescribeACLsResult) {
+	result = &DescribeACLsResult{}
+	err := C.rd_kafka_event_error(rkev)
+	errCode := ErrorCode(err)
+	errStr := C.rd_kafka_event_error_string(rkev)
+
+	var cResultACLsCount C.size_t
+	cResult := C.rd_kafka_event_DescribeAcls_result(rkev)
+	cResultACLs := C.rd_kafka_DescribeAcls_result_acls(cResult, &cResultACLsCount)
+	if errCode != ErrNoError {
+		result.Error = newErrorFromCString(err, errStr)
+	}
+	result.ACLBindings = a.cToACLBindings(cResultACLs, cResultACLsCount)
+	return
+}
+
+// cToDeleteACLsResults converts a C rd_kafka_DeleteAcls_result_response_t array to Go DeleteAclsResult slice.
+func (a *AdminClient) cToDeleteACLsResults(cDeleteACLsResResponse **C.rd_kafka_DeleteAcls_result_response_t, resResponseCnt C.size_t) (result []DeleteACLsResult) {
+	result = make([]DeleteACLsResult, uint(resResponseCnt))
+
+	for i := uint(0); i < uint(resResponseCnt); i++ {
+		cDeleteACLsResResponse := C.DeleteAcls_result_response_by_idx(cDeleteACLsResResponse, resResponseCnt, C.size_t(i))
+		if cDeleteACLsResResponse == nil {
+			panic("DeleteAcls_result_response_by_idx must not return nil")
+		}
+
+		cDeleteACLsError := C.rd_kafka_DeleteAcls_result_response_error(cDeleteACLsResResponse)
+		result[i].Error = newErrorFromCError(cDeleteACLsError)
+
+		var cMatchingACLsCount C.size_t
+		cMatchingACLs := C.rd_kafka_DeleteAcls_result_response_matching_acls(
+			cDeleteACLsResResponse, &cMatchingACLsCount)
+
+		result[i].ACLBindings = a.cToACLBindings(cMatchingACLs, cMatchingACLsCount)
+	}
+	return
+}
+
+// CreateACLs creates one or more ACL bindings.
+//
+// Parameters:
+//  * `ctx` - context with the maximum amount of time to block, or nil for indefinite.
+//  * `aclBindings` - A slice of ACL binding specifications to create.
+//  * `options` - Create ACLs options
+//
+// Returns a slice of CreateACLResult with a ErrNoError ErrorCode when the operation was successful
+// plus an error that is not nil for client level errors
+func (a *AdminClient) CreateACLs(ctx context.Context, aclBindings ACLBindings, options ...CreateACLsAdminOption) (result []CreateACLResult, err error) {
+	if aclBindings == nil {
+		return nil, newErrorFromString(ErrInvalidArg,
+			"Expected non-nil slice of ACLBinding structs")
+	}
+	if len(aclBindings) == 0 {
+		return nil, newErrorFromString(ErrInvalidArg,
+			"Expected non-empty slice of ACLBinding structs")
+	}
+
+	cErrstrSize := C.size_t(512)
+	cErrstr := (*C.char)(C.malloc(cErrstrSize))
+	defer C.free(unsafe.Pointer(cErrstr))
+
+	cACLBindings := make([]*C.rd_kafka_AclBinding_t, len(aclBindings))
+
+	for i, aclBinding := range aclBindings {
+		cACLBindings[i], err = a.aclBindingToC(&aclBinding, cErrstr, cErrstrSize)
+		if err != nil {
+			return
+		}
+		defer C.rd_kafka_AclBinding_destroy(cACLBindings[i])
+	}
+
+	// Convert Go AdminOptions (if any) to C AdminOptions
+	genericOptions := make([]AdminOption, len(options))
+	for i := range options {
+		genericOptions[i] = options[i]
+	}
+	cOptions, err := adminOptionsSetup(a.handle, C.RD_KAFKA_ADMIN_OP_CREATEACLS, genericOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create temporary queue for async operation
+	cQueue := C.rd_kafka_queue_new(a.handle.rk)
+	defer C.rd_kafka_queue_destroy(cQueue)
+
+	// Asynchronous call
+	C.rd_kafka_CreateAcls(
+		a.handle.rk,
+		(**C.rd_kafka_AclBinding_t)(&cACLBindings[0]),
+		C.size_t(len(cACLBindings)),
+		cOptions,
+		cQueue)
+
+	// Wait for result, error or context timeout
+	rkev, err := a.waitResult(ctx, cQueue, C.RD_KAFKA_EVENT_CREATEACLS_RESULT)
+	if err != nil {
+		return nil, err
+	}
+	defer C.rd_kafka_event_destroy(rkev)
+
+	var cResultCnt C.size_t
+	cResult := C.rd_kafka_event_CreateAcls_result(rkev)
+	aclResults := C.rd_kafka_CreateAcls_result_acls(cResult, &cResultCnt)
+	result, err = a.cToCreateACLResults(aclResults, cResultCnt)
+	return
+}
+
+// DescribeACLs matches ACL bindings by filter.
+//
+// Parameters:
+//  * `ctx` - context with the maximum amount of time to block, or nil for indefinite.
+//  * `aclBindingFilter` - A filter with attributes that must match.
+//     string attributes match exact values or any string if set to empty string.
+//     Enum attributes match exact values or any value if ending with `Any`.
+//     If `ResourcePatternType` is set to `ResourcePatternTypeMatch` returns all
+//     the ACL bindings with `ResourcePatternTypeLiteral`, `ResourcePatternTypeWildcard`
+//     or `ResourcePatternTypePrefixed` pattern type that match the resource name.
+//  * `options` - Describe ACLs options
+//
+// Returns a slice of ACLBindings when the operation was successful
+// plus an error that is not `nil` for client level errors
+func (a *AdminClient) DescribeACLs(ctx context.Context, aclBindingFilter ACLBindingFilter, options ...DescribeACLsAdminOption) (result *DescribeACLsResult, err error) {
+
+	cErrstrSize := C.size_t(512)
+	cErrstr := (*C.char)(C.malloc(cErrstrSize))
+	defer C.free(unsafe.Pointer(cErrstr))
+
+	cACLBindingFilter, err := a.aclBindingFilterToC(&aclBindingFilter, cErrstr, cErrstrSize)
+	if err != nil {
+		return
+	}
+
+	// Convert Go AdminOptions (if any) to C AdminOptions
+	genericOptions := make([]AdminOption, len(options))
+	for i := range options {
+		genericOptions[i] = options[i]
+	}
+	cOptions, err := adminOptionsSetup(a.handle, C.RD_KAFKA_ADMIN_OP_DESCRIBEACLS, genericOptions)
+	if err != nil {
+		return nil, err
+	}
+	// Create temporary queue for async operation
+	cQueue := C.rd_kafka_queue_new(a.handle.rk)
+	defer C.rd_kafka_queue_destroy(cQueue)
+
+	// Asynchronous call
+	C.rd_kafka_DescribeAcls(
+		a.handle.rk,
+		cACLBindingFilter,
+		cOptions,
+		cQueue)
+
+	// Wait for result, error or context timeout
+	rkev, err := a.waitResult(ctx, cQueue, C.RD_KAFKA_EVENT_DESCRIBEACLS_RESULT)
+	if err != nil {
+		return nil, err
+	}
+	defer C.rd_kafka_event_destroy(rkev)
+	result = a.cToDescribeACLsResult(rkev)
+	return
+}
+
+// DeleteACLs deletes ACL bindings matching one or more ACL binding filters.
+//
+// Parameters:
+//  * `ctx` - context with the maximum amount of time to block, or nil for indefinite.
+//  * `aclBindingFilters` - a slice of ACL binding filters to match ACLs to delete.
+//     string attributes match exact values or any string if set to empty string.
+//     Enum attributes match exact values or any value if ending with `Any`.
+//     If `ResourcePatternType` is set to `ResourcePatternTypeMatch` returns all
+//     the ACL bindings with `ResourcePatternTypeLiteral`, `ResourcePatternTypeWildcard`
+//     or `ResourcePatternTypePrefixed` pattern type that match the resource name.
+//  * `options` - Delete ACLs options
+//
+// Returns a slice of ACLBinding for each filter when the operation was successful
+// plus an error that is not `nil` for client level errors
+func (a *AdminClient) DeleteACLs(ctx context.Context, aclBindingFilters ACLBindingFilters, options ...DeleteACLsAdminOption) (result []DeleteACLsResult, err error) {
+	if aclBindingFilters == nil {
+		return nil, newErrorFromString(ErrInvalidArg,
+			"Expected non-nil slice of ACLBindingFilter structs")
+	}
+	if len(aclBindingFilters) == 0 {
+		return nil, newErrorFromString(ErrInvalidArg,
+			"Expected non-empty slice of ACLBindingFilter structs")
+	}
+
+	cErrstrSize := C.size_t(512)
+	cErrstr := (*C.char)(C.malloc(cErrstrSize))
+	defer C.free(unsafe.Pointer(cErrstr))
+
+	cACLBindingFilters := make([]*C.rd_kafka_AclBindingFilter_t, len(aclBindingFilters))
+
+	for i, aclBindingFilter := range aclBindingFilters {
+		cACLBindingFilters[i], err = a.aclBindingFilterToC(&aclBindingFilter, cErrstr, cErrstrSize)
+		if err != nil {
+			return
+		}
+		defer C.rd_kafka_AclBinding_destroy(cACLBindingFilters[i])
+	}
+
+	// Convert Go AdminOptions (if any) to C AdminOptions
+	genericOptions := make([]AdminOption, len(options))
+	for i := range options {
+		genericOptions[i] = options[i]
+	}
+	cOptions, err := adminOptionsSetup(a.handle, C.RD_KAFKA_ADMIN_OP_DELETEACLS, genericOptions)
+	if err != nil {
+		return nil, err
+	}
+	// Create temporary queue for async operation
+	cQueue := C.rd_kafka_queue_new(a.handle.rk)
+	defer C.rd_kafka_queue_destroy(cQueue)
+
+	// Asynchronous call
+	C.rd_kafka_DeleteAcls(
+		a.handle.rk,
+		(**C.rd_kafka_AclBindingFilter_t)(&cACLBindingFilters[0]),
+		C.size_t(len(cACLBindingFilters)),
+		cOptions,
+		cQueue)
+
+	// Wait for result, error or context timeout
+	rkev, err := a.waitResult(ctx, cQueue, C.RD_KAFKA_EVENT_DELETEACLS_RESULT)
+	if err != nil {
+		return nil, err
+	}
+	defer C.rd_kafka_event_destroy(rkev)
+
+	var cResultResponsesCount C.size_t
+	cResult := C.rd_kafka_event_DeleteAcls_result(rkev)
+	cResultResponses := C.rd_kafka_DeleteAcls_result_responses(cResult, &cResultResponsesCount)
+	result = a.cToDeleteACLsResults(cResultResponses, cResultResponsesCount)
+	return
+}
+
 // Close an AdminClient instance.
 func (a *AdminClient) Close() {
 	if a.isDerived {
diff --git a/kafka/adminapi_test.go b/kafka/adminapi_test.go
index 50660869e..54b878ee0 100644
--- a/kafka/adminapi_test.go
+++ b/kafka/adminapi_test.go
@@ -76,6 +76,350 @@ func TestAdminAPIWithDefaultValue(t *testing.T) {
 	adminClient.Close()
 }
 
+func testAdminAPIsCreateACLs(what string, a *AdminClient, t *testing.T) {
+	var res []CreateACLResult
+	var err error
+	var ctx context.Context
+	var cancel context.CancelFunc
+	var expDuration time.Duration
+	var expDurationLonger time.Duration
+	var expError string
+	var invalidTests []ACLBindings
+
+	checkFail := func(res []CreateACLResult, err error) {
+		if res != nil || err == nil {
+			t.Fatalf("Expected CreateACLs to fail, but got result: %v, err: %v", res, err)
+		}
+	}
+
+	testACLBindings := ACLBindings{
+		{
+			Type:                ResourceTopic,
+			Name:                "mytopic",
+			ResourcePatternType: ResourcePatternTypeLiteral,
+			Principal:           "User:myuser",
+			Host:                "*",
+			Operation:           ACLOperationAll,
+			PermissionType:      ACLPermissionTypeAllow,
+		},
+	}
+
+	copyACLBindings := func() ACLBindings {
+		return append(ACLBindings{}, testACLBindings...)
+	}
+
+	t.Logf("AdminClient API - ACLs testing on %s: %s", a, what)
+	expDuration, err = time.ParseDuration("0.1s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+
+	// nil aclBindings
+	res, err = a.CreateACLs(ctx, nil)
+	checkFail(res, err)
+	expError = "Expected non-nil slice of ACLBinding structs"
+	if err.Error() != expError {
+		t.Fatalf("Expected error \"%s\", received: \"%v\"", expError, err.Error())
+	}
+
+	// empty aclBindings
+	res, err = a.CreateACLs(ctx, ACLBindings{})
+	checkFail(res, err)
+	expError = "Expected non-empty slice of ACLBinding structs"
+	if err.Error() != expError {
+		t.Fatalf("Expected error \"%s\", received: \"%v\"", expError, err.Error())
+	}
+
+	// Correct input, fail with timeout
+	ctx, cancel = context.WithTimeout(context.Background(), expDuration)
+	defer cancel()
+
+	res, err = a.CreateACLs(ctx, testACLBindings)
+	checkFail(res, err)
+	if ctx.Err() != context.DeadlineExceeded {
+		t.Fatalf("Expected DeadlineExceeded, not %v, %v", ctx.Err(), err)
+	}
+
+	// request timeout comes before context deadline
+	expDurationLonger, err = time.ParseDuration("0.2s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+
+	ctx, cancel = context.WithTimeout(context.Background(), expDurationLonger)
+	defer cancel()
+
+	res, err = a.CreateACLs(ctx, testACLBindings, SetAdminRequestTimeout(expDuration))
+	checkFail(res, err)
+	expError = "Failed while waiting for controller: Local: Timed out"
+	if err.Error() != expError {
+		t.Fatalf("Expected error \"%s\", received: \"%v\"", expError, err.Error())
+	}
+
+	// Invalid ACL bindings
+	invalidTests = []ACLBindings{copyACLBindings(), copyACLBindings()}
+	invalidTests[0][0].Type = ResourceUnknown
+	invalidTests[1][0].Type = ResourceAny
+	expError = ": Invalid resource type"
+	for _, invalidACLBindings := range invalidTests {
+		res, err = a.CreateACLs(ctx, invalidACLBindings)
+		checkFail(res, err)
+		if !strings.HasSuffix(err.Error(), expError) {
+			t.Fatalf("Expected an error ending with \"%s\", received: \"%s\"", expError, err.Error())
+		}
+	}
+
+	suffixes := []string{
+		": Invalid resource pattern type",
+		": Invalid resource pattern type",
+		": Invalid resource pattern type",
+		": Invalid operation",
+		": Invalid operation",
+		": Invalid permission type",
+		": Invalid permission type",
+		": Invalid resource name",
+		": Invalid principal",
+		": Invalid host",
+	}
+	nInvalidTests := len(suffixes)
+	invalidTests = make([]ACLBindings, nInvalidTests)
+	for i := 0; i < nInvalidTests; i++ {
+		invalidTests[i] = copyACLBindings()
+	}
+	invalidTests[0][0].ResourcePatternType = ResourcePatternTypeUnknown
+	invalidTests[1][0].ResourcePatternType = ResourcePatternTypeMatch
+	invalidTests[2][0].ResourcePatternType = ResourcePatternTypeAny
+	invalidTests[3][0].Operation = ACLOperationUnknown
+	invalidTests[4][0].Operation = ACLOperationAny
+	invalidTests[5][0].PermissionType = ACLPermissionTypeUnknown
+	invalidTests[6][0].PermissionType = ACLPermissionTypeAny
+	invalidTests[7][0].Name = ""
+	invalidTests[8][0].Principal = ""
+	invalidTests[9][0].Host = ""
+
+	for i, invalidACLBindings := range invalidTests {
+		res, err = a.CreateACLs(ctx, invalidACLBindings)
+		checkFail(res, err)
+		if !strings.HasSuffix(err.Error(), suffixes[i]) {
+			t.Fatalf("Expected an error ending with \"%s\", received: \"%s\"", suffixes[i], err.Error())
+		}
+	}
+}
+
+func testAdminAPIsDescribeACLs(what string, a *AdminClient, t *testing.T) {
+	var res *DescribeACLsResult
+	var err error
+	var ctx context.Context
+	var cancel context.CancelFunc
+	var expDuration time.Duration
+	var expDurationLonger time.Duration
+	var expError string
+
+	checkFail := func(res *DescribeACLsResult, err error) {
+		if res != nil || err == nil {
+			t.Fatalf("Expected DescribeACLs to fail, but got result: %v, err: %v", res, err)
+		}
+	}
+
+	aclBindingsFilter := ACLBindingFilter{
+		Type:                ResourceTopic,
+		ResourcePatternType: ResourcePatternTypeLiteral,
+		Operation:           ACLOperationAll,
+		PermissionType:      ACLPermissionTypeAllow,
+	}
+
+	t.Logf("AdminClient API - ACLs testing on %s: %s", a, what)
+	expDuration, err = time.ParseDuration("0.1s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+
+	// Correct input, fail with timeout
+	ctx, cancel = context.WithTimeout(context.Background(), expDuration)
+	defer cancel()
+
+	res, err = a.DescribeACLs(ctx, aclBindingsFilter)
+	checkFail(res, err)
+	if ctx.Err() != context.DeadlineExceeded {
+		t.Fatalf("Expected DeadlineExceeded, not %v, %v", ctx.Err(), err)
+	}
+
+	// request timeout comes before context deadline
+	expDurationLonger, err = time.ParseDuration("0.2s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+
+	ctx, cancel = context.WithTimeout(context.Background(), expDurationLonger)
+	defer cancel()
+
+	res, err = a.DescribeACLs(ctx, aclBindingsFilter, SetAdminRequestTimeout(expDuration))
+	checkFail(res, err)
+	expError = "Failed while waiting for controller: Local: Timed out"
+	if err.Error() != expError {
+		t.Fatalf("Expected error \"%s\", received: \"%v\"", expError, err.Error())
+	}
+
+	// Invalid ACL binding filters
+	suffixes := []string{
+		": Invalid resource pattern type",
+		": Invalid operation",
+		": Invalid permission type",
+	}
+	nInvalidTests := len(suffixes)
+	invalidTests := make(ACLBindingFilters, nInvalidTests)
+	for i := 0; i < nInvalidTests; i++ {
+		invalidTests[i] = aclBindingsFilter
+	}
+	invalidTests[0].ResourcePatternType = ResourcePatternTypeUnknown
+	invalidTests[1].Operation = ACLOperationUnknown
+	invalidTests[2].PermissionType = ACLPermissionTypeUnknown
+
+	for i, invalidACLBindingFilter := range invalidTests {
+		res, err = a.DescribeACLs(ctx, invalidACLBindingFilter)
+		checkFail(res, err)
+		if !strings.HasSuffix(err.Error(), suffixes[i]) {
+			t.Fatalf("Expected an error ending with \"%s\", received: \"%s\"", suffixes[i], err.Error())
+		}
+	}
+
+	// ACL binding filters are valid with empty strings,
+	// matching any value
+	validTests := [3]ACLBindingFilter{}
+	for i := 0; i < len(validTests); i++ {
+		validTests[i] = aclBindingsFilter
+	}
+	validTests[0].Name = ""
+	validTests[1].Principal = ""
+	validTests[2].Host = ""
+
+	for _, validACLBindingFilter := range validTests {
+		res, err = a.DescribeACLs(ctx, validACLBindingFilter)
+		checkFail(res, err)
+		if ctx.Err() != context.DeadlineExceeded {
+			t.Fatalf("Expected DeadlineExceeded, not %v, %v", ctx.Err(), err)
+		}
+	}
+}
+
+func testAdminAPIsDeleteACLs(what string, a *AdminClient, t *testing.T) {
+	var res []DeleteACLsResult
+	var err error
+	var ctx context.Context
+	var cancel context.CancelFunc
+	var expDuration time.Duration
+	var expDurationLonger time.Duration
+	var expError string
+
+	checkFail := func(res []DeleteACLsResult, err error) {
+		if res != nil || err == nil {
+			t.Fatalf("Expected DeleteACL to fail, but got result: %v, err: %v", res, err)
+		}
+	}
+
+	aclBindingsFilters := ACLBindingFilters{
+		{
+			Type:                ResourceTopic,
+			ResourcePatternType: ResourcePatternTypeLiteral,
+			Operation:           ACLOperationAll,
+			PermissionType:      ACLPermissionTypeAllow,
+		},
+	}
+
+	copyACLBindingFilters := func() ACLBindingFilters {
+		return append(ACLBindingFilters{}, aclBindingsFilters...)
+	}
+
+	t.Logf("AdminClient API - ACLs testing on %s: %s", a, what)
+	expDuration, err = time.ParseDuration("0.1s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+
+	// nil aclBindingFilters
+	res, err = a.DeleteACLs(ctx, nil)
+	checkFail(res, err)
+	expError = "Expected non-nil slice of ACLBindingFilter structs"
+	if err.Error() != expError {
+		t.Fatalf("Expected error \"%s\", received: \"%v\"", expError, err.Error())
+	}
+
+	// empty aclBindingFilters
+	res, err = a.DeleteACLs(ctx, ACLBindingFilters{})
+	checkFail(res, err)
+	expError = "Expected non-empty slice of ACLBindingFilter structs"
+	if err.Error() != expError {
+		t.Fatalf("Expected error \"%s\", received: \"%v\"", expError, err.Error())
+	}
+
+	// Correct input, fail with timeout
+	ctx, cancel = context.WithTimeout(context.Background(), expDuration)
+	defer cancel()
+
+	res, err = a.DeleteACLs(ctx, aclBindingsFilters)
+	checkFail(res, err)
+	if ctx.Err() != context.DeadlineExceeded {
+		t.Fatalf("Expected DeadlineExceeded, not %v, %v", ctx.Err(), err)
+	}
+
+	// request timeout comes before context deadline
+	expDurationLonger, err = time.ParseDuration("0.2s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+
+	ctx, cancel = context.WithTimeout(context.Background(), expDurationLonger)
+	defer cancel()
+
+	res, err = a.DeleteACLs(ctx, aclBindingsFilters, SetAdminRequestTimeout(expDuration))
+	checkFail(res, err)
+	expError = "Failed while waiting for controller: Local: Timed out"
+	if err.Error() != expError {
+		t.Fatalf("Expected error \"%s\", received: \"%v\"", expError, err.Error())
+	}
+
+	// Invalid ACL binding filters
+	suffixes := []string{
+		": Invalid resource pattern type",
+		": Invalid operation",
+		": Invalid permission type",
+	}
+	nInvalidTests := len(suffixes)
+	invalidTests := make([]ACLBindingFilters, nInvalidTests)
+	for i := 0; i < nInvalidTests; i++ {
+		invalidTests[i] = copyACLBindingFilters()
+	}
+	invalidTests[0][0].ResourcePatternType = ResourcePatternTypeUnknown
+	invalidTests[1][0].Operation = ACLOperationUnknown
+	invalidTests[2][0].PermissionType = ACLPermissionTypeUnknown
+
+	for i, invalidACLBindingFilters := range invalidTests {
+		res, err = a.DeleteACLs(ctx, invalidACLBindingFilters)
+		checkFail(res, err)
+		if !strings.HasSuffix(err.Error(), suffixes[i]) {
+			t.Fatalf("Expected an error ending with \"%s\", received: \"%s\"", suffixes[i], err.Error())
+		}
+	}
+
+	// ACL binding filters are valid with empty strings,
+	// matching any value
+	validTests := [3]ACLBindingFilters{}
+	for i := 0; i < len(validTests); i++ {
+		validTests[i] = copyACLBindingFilters()
+	}
+	validTests[0][0].Name = ""
+	validTests[1][0].Principal = ""
+	validTests[2][0].Host = ""
+
+	for _, validACLBindingFilters := range validTests {
+		res, err = a.DeleteACLs(ctx, validACLBindingFilters)
+		checkFail(res, err)
+		if ctx.Err() != context.DeadlineExceeded {
+			t.Fatalf("Expected DeadlineExceeded, not %v, %v", ctx.Err(), err)
+		}
+	}
+}
+
 func testAdminAPIs(what string, a *AdminClient, t *testing.T) {
 	t.Logf("AdminClient API testing on %s: %s", a, what)
 
@@ -301,6 +645,10 @@ func testAdminAPIs(what string, a *AdminClient, t *testing.T) {
 	if ctx.Err() != context.DeadlineExceeded || err != context.DeadlineExceeded {
 		t.Fatalf("Expected DeadlineExceeded, not %v", ctx.Err())
 	}
+
+	testAdminAPIsCreateACLs(what, a, t)
+	testAdminAPIsDescribeACLs(what, a, t)
+	testAdminAPIsDeleteACLs(what, a, t)
 }
 
 // TestAdminAPIs dry-tests most Admin APIs, no broker is needed.
diff --git a/kafka/adminoptions.go b/kafka/adminoptions.go
index 6d7022ad9..8c1bc81ff 100644
--- a/kafka/adminoptions.go
+++ b/kafka/adminoptions.go
@@ -166,6 +166,15 @@ func (ao AdminOptionValidateOnly) supportsCreatePartitions() {
 func (ao AdminOptionValidateOnly) supportsAlterConfigs() {
 }
 
+func (ao AdminOptionRequestTimeout) supportsCreateACLs() {
+}
+
+func (ao AdminOptionRequestTimeout) supportsDescribeACLs() {
+}
+
+func (ao AdminOptionRequestTimeout) supportsDeleteACLs() {
+}
+
 func (ao AdminOptionValidateOnly) apply(cOptions *C.rd_kafka_AdminOptions_t) error {
 	if !ao.isSet {
 		return nil
@@ -240,6 +249,30 @@ type DescribeConfigsAdminOption interface {
 	apply(cOptions *C.rd_kafka_AdminOptions_t) error
 }
 
+// CreateACLsAdminOption - see setter.
+//
+// See SetAdminRequestTimeout
+type CreateACLsAdminOption interface {
+	supportsCreateACLs()
+	apply(cOptions *C.rd_kafka_AdminOptions_t) error
+}
+
+// DescribeACLsAdminOption - see setter.
+//
+// See SetAdminRequestTimeout
+type DescribeACLsAdminOption interface {
+	supportsDescribeACLs()
+	apply(cOptions *C.rd_kafka_AdminOptions_t) error
+}
+
+// DeleteACLsAdminOption - see setter.
+//
+// See SetAdminRequestTimeout
+type DeleteACLsAdminOption interface {
+	supportsDeleteACLs()
+	apply(cOptions *C.rd_kafka_AdminOptions_t) error
+}
+
 // AdminOption is a generic type not to be used directly.
 //
 // See CreateTopicsAdminOption et.al.
diff --git a/kafka/api.html b/kafka/api.html
index c53cbd87b..18d4ec0f1 100644
--- a/kafka/api.html
+++ b/kafka/api.html
@@ -387,6 +387,71 @@ <h2 class="toggleButton" title="Click to hide Index section">
           func WriteErrorCodes(f *os.File)
          </a>
         </dd>
+        <dd>
+         <a href="#ACLBinding">
+          type ACLBinding
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLBindingFilter">
+          type ACLBindingFilter
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLBindingFilters">
+          type ACLBindingFilters
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLBindings">
+          type ACLBindings
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLBindings.Len">
+          func (a ACLBindings) Len() int
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLBindings.Less">
+          func (a ACLBindings) Less(i, j int) bool
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLBindings.Swap">
+          func (a ACLBindings) Swap(i, j int)
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLOperation">
+          type ACLOperation
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLOperationFromString">
+          func ACLOperationFromString(aclOperationString string) (ACLOperation, error)
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLOperation.String">
+          func (o ACLOperation) String() string
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLPermissionType">
+          type ACLPermissionType
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLPermissionTypeFromString">
+          func ACLPermissionTypeFromString(aclPermissionTypeString string) (ACLPermissionType, error)
+         </a>
+        </dd>
+        <dd>
+         <a href="#ACLPermissionType.String">
+          func (o ACLPermissionType) String() string
+         </a>
+        </dd>
         <dd>
          <a href="#AdminClient">
           type AdminClient
@@ -427,6 +492,11 @@ <h2 class="toggleButton" title="Click to hide Index section">
           func (a *AdminClient) ControllerID(ctx context.Context) (controllerID int32, err error)
          </a>
         </dd>
+        <dd>
+         <a href="#AdminClient.CreateACLs">
+          func (a *AdminClient) CreateACLs(ctx context.Context, aclBindings ACLBindings, options ...CreateACLsAdminOption) (result []CreateACLResult, err error)
+         </a>
+        </dd>
         <dd>
          <a href="#AdminClient.CreatePartitions">
           func (a *AdminClient) CreatePartitions(ctx context.Context, partitions []PartitionsSpecification, options ...CreatePartitionsAdminOption) (result []TopicResult, err error)
@@ -437,11 +507,21 @@ <h2 class="toggleButton" title="Click to hide Index section">
           func (a *AdminClient) CreateTopics(ctx context.Context, topics []TopicSpecification, options ...CreateTopicsAdminOption) (result []TopicResult, err error)
          </a>
         </dd>
+        <dd>
+         <a href="#AdminClient.DeleteACLs">
+          func (a *AdminClient) DeleteACLs(ctx context.Context, aclBindingFilters ACLBindingFilters, options ...DeleteACLsAdminOption) (result []DeleteACLsResult, err error)
+         </a>
+        </dd>
         <dd>
          <a href="#AdminClient.DeleteTopics">
           func (a *AdminClient) DeleteTopics(ctx context.Context, topics []string, options ...DeleteTopicsAdminOption) (result []TopicResult, err error)
          </a>
         </dd>
+        <dd>
+         <a href="#AdminClient.DescribeACLs">
+          func (a *AdminClient) DescribeACLs(ctx context.Context, aclBindingFilter ACLBindingFilter, options ...DescribeACLsAdminOption) (result *DescribeACLsResult, err error)
+         </a>
+        </dd>
         <dd>
          <a href="#AdminClient.DescribeConfigs">
           func (a *AdminClient) DescribeConfigs(ctx context.Context, resources []ConfigResource, options ...DescribeConfigsAdminOption) (result []ConfigResourceResult, err error)
@@ -802,6 +882,16 @@ <h2 class="toggleButton" title="Click to hide Index section">
           func NewTestConsumerGroupMetadata(groupID string) (*ConsumerGroupMetadata, error)
          </a>
         </dd>
+        <dd>
+         <a href="#CreateACLResult">
+          type CreateACLResult
+         </a>
+        </dd>
+        <dd>
+         <a href="#CreateACLsAdminOption">
+          type CreateACLsAdminOption
+         </a>
+        </dd>
         <dd>
          <a href="#CreatePartitionsAdminOption">
           type CreatePartitionsAdminOption
@@ -812,11 +902,31 @@ <h2 class="toggleButton" title="Click to hide Index section">
           type CreateTopicsAdminOption
          </a>
         </dd>
+        <dd>
+         <a href="#DeleteACLsAdminOption">
+          type DeleteACLsAdminOption
+         </a>
+        </dd>
+        <dd>
+         <a href="#DeleteACLsResult">
+          type DeleteACLsResult
+         </a>
+        </dd>
         <dd>
          <a href="#DeleteTopicsAdminOption">
           type DeleteTopicsAdminOption
          </a>
         </dd>
+        <dd>
+         <a href="#DescribeACLsAdminOption">
+          type DescribeACLsAdminOption
+         </a>
+        </dd>
+        <dd>
+         <a href="#DescribeACLsResult">
+          type DescribeACLsResult
+         </a>
+        </dd>
         <dd>
          <a href="#DescribeConfigsAdminOption">
           type DescribeConfigsAdminOption
@@ -1127,6 +1237,21 @@ <h2 class="toggleButton" title="Click to hide Index section">
           type RebalanceCb
          </a>
         </dd>
+        <dd>
+         <a href="#ResourcePatternType">
+          type ResourcePatternType
+         </a>
+        </dd>
+        <dd>
+         <a href="#ResourcePatternTypeFromString">
+          func ResourcePatternTypeFromString(patternTypeString string) (ResourcePatternType, error)
+         </a>
+        </dd>
+        <dd>
+         <a href="#ResourcePatternType.String">
+          func (t ResourcePatternType) String() string
+         </a>
+        </dd>
         <dd>
          <a href="#ResourceType">
           type ResourceType
@@ -1333,6 +1458,56 @@ <h2 id="pkg-constants">
     <span id="ConfigSourceStaticBroker">ConfigSourceStaticBroker</span> = <a href="#ConfigSource">ConfigSource</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_CONFIG_SOURCE_STATIC_BROKER_CONFIG">RD_KAFKA_CONFIG_SOURCE_STATIC_BROKER_CONFIG</a>)
     <span class="comment">// ConfigSourceDefault is built-in default configuration for configs that have a default value</span>
     <span id="ConfigSourceDefault">ConfigSourceDefault</span> = <a href="#ConfigSource">ConfigSource</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_CONFIG_SOURCE_DEFAULT_CONFIG">RD_KAFKA_CONFIG_SOURCE_DEFAULT_CONFIG</a>)
+)</pre>
+    <pre>const (
+    <span class="comment">// ResourcePatternTypeUnknown is a resource pattern type not known or not set.</span>
+    <span id="ResourcePatternTypeUnknown">ResourcePatternTypeUnknown</span> = <a href="#ResourcePatternType">ResourcePatternType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_RESOURCE_PATTERN_UNKNOWN">RD_KAFKA_RESOURCE_PATTERN_UNKNOWN</a>)
+    <span class="comment">// ResourcePatternTypeAny matches any resource, used for lookups.</span>
+    <span id="ResourcePatternTypeAny">ResourcePatternTypeAny</span> = <a href="#ResourcePatternType">ResourcePatternType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_RESOURCE_PATTERN_ANY">RD_KAFKA_RESOURCE_PATTERN_ANY</a>)
+    <span class="comment">// ResourcePatternTypeMatch will perform pattern matching</span>
+    <span id="ResourcePatternTypeMatch">ResourcePatternTypeMatch</span> = <a href="#ResourcePatternType">ResourcePatternType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_RESOURCE_PATTERN_MATCH">RD_KAFKA_RESOURCE_PATTERN_MATCH</a>)
+    <span class="comment">// ResourcePatternTypeLiteral matches a literal resource name</span>
+    <span id="ResourcePatternTypeLiteral">ResourcePatternTypeLiteral</span> = <a href="#ResourcePatternType">ResourcePatternType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_RESOURCE_PATTERN_LITERAL">RD_KAFKA_RESOURCE_PATTERN_LITERAL</a>)
+    <span class="comment">// ResourcePatternTypePrefixed matches a prefixed resource name</span>
+    <span id="ResourcePatternTypePrefixed">ResourcePatternTypePrefixed</span> = <a href="#ResourcePatternType">ResourcePatternType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_RESOURCE_PATTERN_PREFIXED">RD_KAFKA_RESOURCE_PATTERN_PREFIXED</a>)
+)</pre>
+    <pre>const (
+    <span class="comment">// ACLOperationUnknown represents an unknown or unset operation</span>
+    <span id="ACLOperationUnknown">ACLOperationUnknown</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_UNKNOWN">RD_KAFKA_ACL_OPERATION_UNKNOWN</a>)
+    <span class="comment">// ACLOperationAny in a filter, matches any ACLOperation</span>
+    <span id="ACLOperationAny">ACLOperationAny</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_ANY">RD_KAFKA_ACL_OPERATION_ANY</a>)
+    <span class="comment">// ACLOperationAll represents all the operations</span>
+    <span id="ACLOperationAll">ACLOperationAll</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_ALL">RD_KAFKA_ACL_OPERATION_ALL</a>)
+    <span class="comment">// ACLOperationRead a read operation</span>
+    <span id="ACLOperationRead">ACLOperationRead</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_READ">RD_KAFKA_ACL_OPERATION_READ</a>)
+    <span class="comment">// ACLOperationWrite represents a write operation</span>
+    <span id="ACLOperationWrite">ACLOperationWrite</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_WRITE">RD_KAFKA_ACL_OPERATION_WRITE</a>)
+    <span class="comment">// ACLOperationCreate represents a create operation</span>
+    <span id="ACLOperationCreate">ACLOperationCreate</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_CREATE">RD_KAFKA_ACL_OPERATION_CREATE</a>)
+    <span class="comment">// ACLOperationDelete represents a delete operation</span>
+    <span id="ACLOperationDelete">ACLOperationDelete</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_DELETE">RD_KAFKA_ACL_OPERATION_DELETE</a>)
+    <span class="comment">// ACLOperationAlter represents an alter operation</span>
+    <span id="ACLOperationAlter">ACLOperationAlter</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_ALTER">RD_KAFKA_ACL_OPERATION_ALTER</a>)
+    <span class="comment">// ACLOperationDescribe represents a describe operation</span>
+    <span id="ACLOperationDescribe">ACLOperationDescribe</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_DESCRIBE">RD_KAFKA_ACL_OPERATION_DESCRIBE</a>)
+    <span class="comment">// ACLOperationClusterAction represents a cluster action operation</span>
+    <span id="ACLOperationClusterAction">ACLOperationClusterAction</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_CLUSTER_ACTION">RD_KAFKA_ACL_OPERATION_CLUSTER_ACTION</a>)
+    <span class="comment">// ACLOperationDescribeConfigs represents a describe configs operation</span>
+    <span id="ACLOperationDescribeConfigs">ACLOperationDescribeConfigs</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_DESCRIBE_CONFIGS">RD_KAFKA_ACL_OPERATION_DESCRIBE_CONFIGS</a>)
+    <span class="comment">// ACLOperationAlterConfigs represents an alter configs operation</span>
+    <span id="ACLOperationAlterConfigs">ACLOperationAlterConfigs</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_ALTER_CONFIGS">RD_KAFKA_ACL_OPERATION_ALTER_CONFIGS</a>)
+    <span class="comment">// ACLOperationIdempotentWrite represents an idempotent write operation</span>
+    <span id="ACLOperationIdempotentWrite">ACLOperationIdempotentWrite</span> = <a href="#ACLOperation">ACLOperation</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_OPERATION_IDEMPOTENT_WRITE">RD_KAFKA_ACL_OPERATION_IDEMPOTENT_WRITE</a>)
+)</pre>
+    <pre>const (
+    <span class="comment">// ACLPermissionTypeUnknown represents an unknown ACLPermissionType</span>
+    <span id="ACLPermissionTypeUnknown">ACLPermissionTypeUnknown</span> = <a href="#ACLPermissionType">ACLPermissionType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_PERMISSION_TYPE_UNKNOWN">RD_KAFKA_ACL_PERMISSION_TYPE_UNKNOWN</a>)
+    <span class="comment">// ACLPermissionTypeAny in a filter, matches any ACLPermissionType</span>
+    <span id="ACLPermissionTypeAny">ACLPermissionTypeAny</span> = <a href="#ACLPermissionType">ACLPermissionType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_PERMISSION_TYPE_ANY">RD_KAFKA_ACL_PERMISSION_TYPE_ANY</a>)
+    <span class="comment">// ACLPermissionTypeDeny disallows access</span>
+    <span id="ACLPermissionTypeDeny">ACLPermissionTypeDeny</span> = <a href="#ACLPermissionType">ACLPermissionType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_PERMISSION_TYPE_DENY">RD_KAFKA_ACL_PERMISSION_TYPE_DENY</a>)
+    <span class="comment">// ACLPermissionTypeAllow grants access</span>
+    <span id="ACLPermissionTypeAllow">ACLPermissionTypeAllow</span> = <a href="#ACLPermissionType">ACLPermissionType</a>(<a href="//golang.org/pkg/C/">C</a>.<a href="//golang.org/pkg/C/#RD_KAFKA_ACL_PERMISSION_TYPE_ALLOW">RD_KAFKA_ACL_PERMISSION_TYPE_ALLOW</a>)
 )</pre>
     <pre>const (
     <span class="comment">// TimestampNotAvailable indicates no timestamp was set, or not available due to lacking broker support</span>
@@ -1414,9 +1589,187 @@ <h2 id="WriteErrorCodes">
 librdkafka error codes.
 This function is not intended for public use.
     </p>
+    <h2 id="ACLBinding">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=17697:18355#L471">
+      ACLBinding
+     </a>
+     <a class="permalink" href="#ACLBinding">
+      ¶
+     </a>
+    </h2>
+    <p>
+     ACLBinding specifies the operation and permission type for a specific principal
+over one or more resources of the same type. Used by `AdminClient.CreateACLs`,
+returned by `AdminClient.DescribeACLs` and `AdminClient.DeleteACLs`.
+    </p>
+    <pre>type ACLBinding struct {
+<span id="ACLBinding.Type"></span>    Type <a href="#ResourceType">ResourceType</a> <span class="comment">// The resource type.</span>
+    <span class="comment">// The resource name, which depends on the resource type.</span>
+    <span class="comment">// For ResourceBroker the resource name is the broker id.</span>
+<span id="ACLBinding.Name"></span>    Name                <a href="//golang.org/pkg/builtin/#string">string</a>
+<span id="ACLBinding.ResourcePatternType"></span>    ResourcePatternType <a href="#ResourcePatternType">ResourcePatternType</a> <span class="comment">// The resource pattern, relative to the name.</span>
+<span id="ACLBinding.Principal"></span>    Principal           <a href="//golang.org/pkg/builtin/#string">string</a>              <span class="comment">// The principal this ACLBinding refers to.</span>
+<span id="ACLBinding.Host"></span>    Host                <a href="//golang.org/pkg/builtin/#string">string</a>              <span class="comment">// The host that the call is allowed to come from.</span>
+<span id="ACLBinding.Operation"></span>    Operation           <a href="#ACLOperation">ACLOperation</a>        <span class="comment">// The operation/s specified by this binding.</span>
+<span id="ACLBinding.PermissionType"></span>    PermissionType      <a href="#ACLPermissionType">ACLPermissionType</a>   <span class="comment">// The permission type for the specified operation.</span>
+}
+</pre>
+    <h2 id="ACLBindingFilter">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=18542:18576#L485">
+      ACLBindingFilter
+     </a>
+     <a class="permalink" href="#ACLBindingFilter">
+      ¶
+     </a>
+    </h2>
+    <p>
+     ACLBindingFilter specifies a filter used to return a list of ACL bindings matching some or all of its attributes.
+Used by `AdminClient.DescribeACLs` and `AdminClient.DeleteACLs`.
+    </p>
+    <pre>type ACLBindingFilter = <a href="#ACLBinding">ACLBinding</a></pre>
+    <h2 id="ACLBindingFilters">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=18787:18828#L493">
+      ACLBindingFilters
+     </a>
+     <a class="permalink" href="#ACLBindingFilters">
+      ¶
+     </a>
+    </h2>
+    <p>
+     ACLBindingFilters is a slice of ACLBindingFilter that also implements
+the sort interface
+    </p>
+    <pre>type ACLBindingFilters []<a href="#ACLBindingFilter">ACLBindingFilter</a></pre>
+    <h2 id="ACLBindings">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=18661:18690#L489">
+      ACLBindings
+     </a>
+     <a class="permalink" href="#ACLBindings">
+      ¶
+     </a>
+    </h2>
+    <p>
+     ACLBindings is a slice of ACLBinding that also implements
+the sort interface
+    </p>
+    <pre>type ACLBindings []<a href="#ACLBinding">ACLBinding</a></pre>
+    <h3 id="ACLBindings.Len">
+     func (ACLBindings)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=18830:18860#L495">
+      Len
+     </a>
+     <a class="permalink" href="#ACLBindings.Len">
+      ¶
+     </a>
+    </h3>
+    <pre>func (a <a href="#ACLBindings">ACLBindings</a>) Len() <a href="//golang.org/pkg/builtin/#int">int</a></pre>
+    <h3 id="ACLBindings.Less">
+     func (ACLBindings)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=18881:18921#L499">
+      Less
+     </a>
+     <a class="permalink" href="#ACLBindings.Less">
+      ¶
+     </a>
+    </h3>
+    <pre>func (a <a href="#ACLBindings">ACLBindings</a>) Less(i, j <a href="//golang.org/pkg/builtin/#int">int</a>) <a href="//golang.org/pkg/builtin/#bool">bool</a></pre>
+    <h3 id="ACLBindings.Swap">
+     func (ACLBindings)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=19521:19556#L524">
+      Swap
+     </a>
+     <a class="permalink" href="#ACLBindings.Swap">
+      ¶
+     </a>
+    </h3>
+    <pre>func (a <a href="#ACLBindings">ACLBindings</a>) Swap(i, j <a href="//golang.org/pkg/builtin/#int">int</a>)</pre>
+    <h2 id="ACLOperation">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=13203:13224#L365">
+      ACLOperation
+     </a>
+     <a class="permalink" href="#ACLOperation">
+      ¶
+     </a>
+    </h2>
+    <p>
+     ACLOperation enumerates the different types of ACL operation.
+    </p>
+    <pre>type ACLOperation <a href="//golang.org/pkg/builtin/#int">int</a></pre>
+    <h3 id="ACLOperationFromString">
+     func
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=15209:15285#L403">
+      ACLOperationFromString
+     </a>
+     <a class="permalink" href="#ACLOperationFromString">
+      ¶
+     </a>
+    </h3>
+    <pre>func ACLOperationFromString(aclOperationString <a href="//golang.org/pkg/builtin/#string">string</a>) (<a href="#ACLOperation">ACLOperation</a>, <a href="//golang.org/pkg/builtin/#error">error</a>)</pre>
+    <p>
+     ACLOperationFromString translates a ACL operation name to
+a ACLOperation value.
+    </p>
+    <h3 id="ACLOperation.String">
+     func (ACLOperation)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=15001:15038#L397">
+      String
+     </a>
+     <a class="permalink" href="#ACLOperation.String">
+      ¶
+     </a>
+    </h3>
+    <pre>func (o <a href="#ACLOperation">ACLOperation</a>) String() <a href="//golang.org/pkg/builtin/#string">string</a></pre>
+    <p>
+     String returns the human-readable representation of an ACLOperation
+    </p>
+    <h2 id="ACLPermissionType">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=16151:16177#L435">
+      ACLPermissionType
+     </a>
+     <a class="permalink" href="#ACLPermissionType">
+      ¶
+     </a>
+    </h2>
+    <p>
+     ACLPermissionType enumerates the different types of ACL permission types.
+    </p>
+    <pre>type ACLPermissionType <a href="//golang.org/pkg/builtin/#int">int</a></pre>
+    <h3 id="ACLPermissionTypeFromString">
+     func
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=17052:17143#L455">
+      ACLPermissionTypeFromString
+     </a>
+     <a class="permalink" href="#ACLPermissionTypeFromString">
+      ¶
+     </a>
+    </h3>
+    <pre>func ACLPermissionTypeFromString(aclPermissionTypeString <a href="//golang.org/pkg/builtin/#string">string</a>) (<a href="#ACLPermissionType">ACLPermissionType</a>, <a href="//golang.org/pkg/builtin/#error">error</a>)</pre>
+    <p>
+     ACLPermissionTypeFromString translates a ACL permission type name to
+a ACLPermissionType value.
+    </p>
+    <h3 id="ACLPermissionType.String">
+     func (ACLPermissionType)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=16813:16855#L449">
+      String
+     </a>
+     <a class="permalink" href="#ACLPermissionType.String">
+      ¶
+     </a>
+    </h3>
+    <pre>func (o <a href="#ACLPermissionType">ACLPermissionType</a>) String() <a href="//golang.org/pkg/builtin/#string">string</a></pre>
+    <p>
+     String returns the human-readable representation of an ACLPermissionType
+    </p>
     <h2 id="AdminClient">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=1375:1476#L45">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=2047:2148#L66">
       AdminClient
      </a>
      <a class="permalink" href="#AdminClient">
@@ -1432,7 +1785,7 @@ <h2 id="AdminClient">
 </pre>
     <h3 id="NewAdminClient">
      func
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=32498:32556#L957">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=54721:54779#L1544">
       NewAdminClient
      </a>
      <a class="permalink" href="#NewAdminClient">
@@ -1445,7 +1798,7 @@ <h3 id="NewAdminClient">
     </p>
     <h3 id="NewAdminClientFromConsumer">
      func
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=34021:34093#L1006">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=56244:56316#L1593">
       NewAdminClientFromConsumer
      </a>
      <a class="permalink" href="#NewAdminClientFromConsumer">
@@ -1459,7 +1812,7 @@ <h3 id="NewAdminClientFromConsumer">
     </p>
     <h3 id="NewAdminClientFromProducer">
      func
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=33557:33629#L993">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=55780:55852#L1580">
       NewAdminClientFromProducer
      </a>
      <a class="permalink" href="#NewAdminClientFromProducer">
@@ -1473,7 +1826,7 @@ <h3 id="NewAdminClientFromProducer">
     </p>
     <h3 id="AdminClient.AlterConfigs">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=25073:25235#L743">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=34443:34605#L983">
       AlterConfigs
      </a>
      <a class="permalink" href="#AdminClient.AlterConfigs">
@@ -1506,7 +1859,7 @@ <h3 id="AdminClient.AlterConfigs">
     </p>
     <h3 id="AdminClient.Close">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=32222:32251#L944">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=54445:54474#L1531">
       Close
      </a>
      <a class="permalink" href="#AdminClient.Close">
@@ -1519,7 +1872,7 @@ <h3 id="AdminClient.Close">
     </p>
     <h3 id="AdminClient.ClusterID">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=14520:14602#L420">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=23890:23972#L660">
       ClusterID
      </a>
      <a class="permalink" href="#AdminClient.ClusterID">
@@ -1540,7 +1893,7 @@ <h3 id="AdminClient.ClusterID">
     </p>
     <h3 id="AdminClient.ControllerID">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=15512:15599#L452">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=24882:24969#L692">
       ControllerID
      </a>
      <a class="permalink" href="#AdminClient.ControllerID">
@@ -1560,9 +1913,33 @@ <h3 id="AdminClient.ControllerID">
     <p>
      Requires broker version &gt;= 0.10.0.
     </p>
+    <h3 id="AdminClient.CreateACLs">
+     func (*AdminClient)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=47740:47890#L1342">
+      CreateACLs
+     </a>
+     <a class="permalink" href="#AdminClient.CreateACLs">
+      ¶
+     </a>
+    </h3>
+    <pre>func (a *<a href="#AdminClient">AdminClient</a>) CreateACLs(ctx <a href="//golang.org/pkg/context/">context</a>.<a href="//golang.org/pkg/context/#Context">Context</a>, aclBindings <a href="#ACLBindings">ACLBindings</a>, options ...<a href="#CreateACLsAdminOption">CreateACLsAdminOption</a>) (result []<a href="#CreateACLResult">CreateACLResult</a>, err <a href="//golang.org/pkg/builtin/#error">error</a>)</pre>
+    <p>
+     CreateACLs creates one or more ACL bindings.
+    </p>
+    <p>
+     Parameters:
+    </p>
+    <pre>* `ctx` - context with the maximum amount of time to block, or nil for indefinite.
+* `aclBindings` - A slice of ACL binding specifications to create.
+* `options` - Create ACLs options
+</pre>
+    <p>
+     Returns a slice of CreateACLResult with a ErrNoError ErrorCode when the operation was successful
+plus an error that is not nil for client level errors
+    </p>
     <h3 id="AdminClient.CreatePartitions">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=21853:22024#L653">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=31223:31394#L893">
       CreatePartitions
      </a>
      <a class="permalink" href="#AdminClient.CreatePartitions">
@@ -1575,7 +1952,7 @@ <h3 id="AdminClient.CreatePartitions">
     </p>
     <h3 id="AdminClient.CreateTopics">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=16342:16496#L481">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=25712:25866#L721">
       CreateTopics
      </a>
      <a class="permalink" href="#AdminClient.CreateTopics">
@@ -1596,9 +1973,38 @@ <h3 id="AdminClient.CreateTopics">
     <p>
      Note: TopicSpecification is analogous to NewTopic in the Java Topic Admin API.
     </p>
+    <h3 id="AdminClient.DeleteACLs">
+     func (*AdminClient)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=52431:52594#L1471">
+      DeleteACLs
+     </a>
+     <a class="permalink" href="#AdminClient.DeleteACLs">
+      ¶
+     </a>
+    </h3>
+    <pre>func (a *<a href="#AdminClient">AdminClient</a>) DeleteACLs(ctx <a href="//golang.org/pkg/context/">context</a>.<a href="//golang.org/pkg/context/#Context">Context</a>, aclBindingFilters <a href="#ACLBindingFilters">ACLBindingFilters</a>, options ...<a href="#DeleteACLsAdminOption">DeleteACLsAdminOption</a>) (result []<a href="#DeleteACLsResult">DeleteACLsResult</a>, err <a href="//golang.org/pkg/builtin/#error">error</a>)</pre>
+    <p>
+     DeleteACLs deletes ACL bindings matching one or more ACL binding filters.
+    </p>
+    <p>
+     Parameters:
+    </p>
+    <pre>* `ctx` - context with the maximum amount of time to block, or nil for indefinite.
+* `aclBindingFilters` - a slice of ACL binding filters to match ACLs to delete.
+   string attributes match exact values or any string if set to empty string.
+   Enum attributes match exact values or any value if ending with `Any`.
+   If `ResourcePatternType` is set to `ResourcePatternTypeMatch` returns all
+   the ACL bindings with `ResourcePatternTypeLiteral`, `ResourcePatternTypeWildcard`
+   or `ResourcePatternTypePrefixed` pattern type that match the resource name.
+* `options` - Delete ACLs options
+</pre>
+    <p>
+     Returns a slice of ACLBinding for each filter when the operation was successful
+plus an error that is not `nil` for client level errors
+    </p>
     <h3 id="AdminClient.DeleteTopics">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=20080:20222#L595">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=29450:29592#L835">
       DeleteTopics
      </a>
      <a class="permalink" href="#AdminClient.DeleteTopics">
@@ -1619,9 +2025,38 @@ <h3 id="AdminClient.DeleteTopics">
     <p>
      Requires broker version &gt;= 0.10.1.0
     </p>
+    <h3 id="AdminClient.DescribeACLs">
+     func (*AdminClient)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=50370:50536#L1416">
+      DescribeACLs
+     </a>
+     <a class="permalink" href="#AdminClient.DescribeACLs">
+      ¶
+     </a>
+    </h3>
+    <pre>func (a *<a href="#AdminClient">AdminClient</a>) DescribeACLs(ctx <a href="//golang.org/pkg/context/">context</a>.<a href="//golang.org/pkg/context/#Context">Context</a>, aclBindingFilter <a href="#ACLBindingFilter">ACLBindingFilter</a>, options ...<a href="#DescribeACLsAdminOption">DescribeACLsAdminOption</a>) (result *<a href="#DescribeACLsResult">DescribeACLsResult</a>, err <a href="//golang.org/pkg/builtin/#error">error</a>)</pre>
+    <p>
+     DescribeACLs matches ACL bindings by filter.
+    </p>
+    <p>
+     Parameters:
+    </p>
+    <pre>* `ctx` - context with the maximum amount of time to block, or nil for indefinite.
+* `aclBindingFilter` - A filter with attributes that must match.
+   string attributes match exact values or any string if set to empty string.
+   Enum attributes match exact values or any value if ending with `Any`.
+   If `ResourcePatternType` is set to `ResourcePatternTypeMatch` returns all
+   the ACL bindings with `ResourcePatternTypeLiteral`, `ResourcePatternTypeWildcard`
+   or `ResourcePatternTypePrefixed` pattern type that match the resource name.
+* `options` - Describe ACLs options
+</pre>
+    <p>
+     Returns a slice of ACLBindings when the operation was successful
+plus an error that is not `nil` for client level errors
+    </p>
     <h3 id="AdminClient.DescribeConfigs">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=28275:28443#L841">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=37645:37813#L1081">
       DescribeConfigs
      </a>
      <a class="permalink" href="#AdminClient.DescribeConfigs">
@@ -1661,7 +2096,7 @@ <h3 id="AdminClient.DescribeConfigs">
     </p>
     <h3 id="AdminClient.GetMetadata">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=30456:30554#L904">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=39826:39924#L1144">
       GetMetadata
      </a>
      <a class="permalink" href="#AdminClient.GetMetadata">
@@ -1678,7 +2113,7 @@ <h3 id="AdminClient.GetMetadata">
     </p>
     <h3 id="AdminClient.SetOAuthBearerToken">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=31480:31562#L928">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=40850:40932#L1168">
       SetOAuthBearerToken
      </a>
      <a class="permalink" href="#AdminClient.SetOAuthBearerToken">
@@ -1703,7 +2138,7 @@ <h3 id="AdminClient.SetOAuthBearerToken">
     </p>
     <h3 id="AdminClient.SetOAuthBearerTokenFailure">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=32061:32130#L939">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=41431:41500#L1179">
       SetOAuthBearerTokenFailure
      </a>
      <a class="permalink" href="#AdminClient.SetOAuthBearerTokenFailure">
@@ -1722,7 +2157,7 @@ <h3 id="AdminClient.SetOAuthBearerTokenFailure">
     </p>
     <h3 id="AdminClient.String">
      func (*AdminClient)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=30680:30717#L909">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=40050:40087#L1149">
       String
      </a>
      <a class="permalink" href="#AdminClient.String">
@@ -1735,7 +2170,7 @@ <h3 id="AdminClient.String">
     </p>
     <h2 id="AdminOption">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6791:6871#L236">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=7543:7623#L269">
       AdminOption
      </a>
      <a class="permalink" href="#AdminOption">
@@ -1876,7 +2311,7 @@ <h2 id="AdminOptionValidateOnly">
 </pre>
     <h3 id="SetAdminValidateOnly">
      func
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=5406:5479#L187">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=5594:5667#L196">
       SetAdminValidateOnly
      </a>
      <a class="permalink" href="#SetAdminValidateOnly">
@@ -1896,7 +2331,7 @@ <h3 id="SetAdminValidateOnly">
     </p>
     <h2 id="AlterConfigsAdminOption">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6371:6487#L220">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6559:6675#L229">
       AlterConfigsAdminOption
      </a>
      <a class="permalink" href="#AlterConfigsAdminOption">
@@ -1914,7 +2349,7 @@ <h2 id="AlterConfigsAdminOption">
 }</pre>
     <h2 id="AlterOperation">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=6820:6843#L188">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7492:7515#L209">
       AlterOperation
      </a>
      <a class="permalink" href="#AlterOperation">
@@ -1928,7 +2363,7 @@ <h2 id="AlterOperation">
     <pre>type AlterOperation <a href="//golang.org/pkg/builtin/#int">int</a></pre>
     <h3 id="AlterOperation.String">
      func (AlterOperation)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7020:7059#L196">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7692:7731#L217">
       String
      </a>
      <a class="permalink" href="#AlterOperation.String">
@@ -1985,7 +2420,7 @@ <h2 id="BrokerMetadata">
 </pre>
     <h2 id="ConfigEntry">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7246:7473#L206">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7918:8145#L227">
       ConfigEntry
      </a>
      <a class="permalink" href="#ConfigEntry">
@@ -2006,7 +2441,7 @@ <h2 id="ConfigEntry">
 </pre>
     <h3 id="StringMapToConfigEntries">
      func
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7626:7724#L217">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=8298:8396#L238">
       StringMapToConfigEntries
      </a>
      <a class="permalink" href="#StringMapToConfigEntries">
@@ -2020,7 +2455,7 @@ <h3 id="StringMapToConfigEntries">
     </p>
     <h3 id="ConfigEntry.String">
      func (ConfigEntry)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7955:7991#L228">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=8627:8663#L249">
       String
      </a>
      <a class="permalink" href="#ConfigEntry.String">
@@ -2033,7 +2468,7 @@ <h3 id="ConfigEntry.String">
     </p>
     <h2 id="ConfigEntryResult">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=8171:8904#L234">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=8843:9576#L255">
       ConfigEntryResult
      </a>
      <a class="permalink" href="#ConfigEntryResult">
@@ -2063,7 +2498,7 @@ <h2 id="ConfigEntryResult">
 </pre>
     <h3 id="ConfigEntryResult.String">
      func (ConfigEntryResult)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=8980:9022#L252">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=9652:9694#L273">
       String
      </a>
      <a class="permalink" href="#ConfigEntryResult.String">
@@ -2149,7 +2584,7 @@ <h3 id="ConfigMap.SetKey">
     </p>
     <h2 id="ConfigResource">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=6142:6537#L169">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=6814:7209#L190">
       ConfigResource
      </a>
      <a class="permalink" href="#ConfigResource">
@@ -2173,7 +2608,7 @@ <h2 id="ConfigResource">
 </pre>
     <h3 id="ConfigResource.String">
      func (ConfigResource)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=6609:6648#L182">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=7281:7320#L203">
       String
      </a>
      <a class="permalink" href="#ConfigResource.String">
@@ -2186,7 +2621,7 @@ <h3 id="ConfigResource.String">
     </p>
     <h2 id="ConfigResourceResult">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=10150:10449#L285">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=10822:11121#L306">
       ConfigResourceResult
      </a>
      <a class="permalink" href="#ConfigResourceResult">
@@ -2210,7 +2645,7 @@ <h2 id="ConfigResourceResult">
 </pre>
     <h3 id="ConfigResourceResult.String">
      func (ConfigResourceResult)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=10528:10573#L297">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=11200:11245#L318">
       String
      </a>
      <a class="permalink" href="#ConfigResourceResult.String">
@@ -2223,7 +2658,7 @@ <h3 id="ConfigResourceResult.String">
     </p>
     <h2 id="ConfigSource">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=4717:4738#L146">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=5389:5410#L167">
       ConfigSource
      </a>
      <a class="permalink" href="#ConfigSource">
@@ -2236,7 +2671,7 @@ <h2 id="ConfigSource">
     <pre>type ConfigSource <a href="//golang.org/pkg/builtin/#int">int</a></pre>
     <h3 id="ConfigSource.String">
      func (ConfigSource)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=5933:5970#L164">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=6605:6642#L185">
       String
      </a>
      <a class="permalink" href="#ConfigSource.String">
@@ -2943,9 +3378,44 @@ <h3 id="NewTestConsumerGroupMetadata">
 mainly for testing use.
 Use GetConsumerGroupMetadata() to retrieve the real metadata.
     </p>
+    <h2 id="CreateACLResult">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=19645:19760#L529">
+      CreateACLResult
+     </a>
+     <a class="permalink" href="#CreateACLResult">
+      ¶
+     </a>
+    </h2>
+    <p>
+     CreateACLResult provides create ACL error information.
+    </p>
+    <pre>type CreateACLResult struct {
+<span id="CreateACLResult.Error"></span>    <span class="comment">// Error, if any, of result. Check with `Error.Code() != ErrNoError`.</span>
+    Error <a href="#Error">Error</a>
+}
+</pre>
+    <h2 id="CreateACLsAdminOption">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6952:7064#L245">
+      CreateACLsAdminOption
+     </a>
+     <a class="permalink" href="#CreateACLsAdminOption">
+      ¶
+     </a>
+    </h2>
+    <p>
+     CreateACLsAdminOption - see setter.
+    </p>
+    <p>
+     See SetAdminRequestTimeout
+    </p>
+    <pre>type CreateACLsAdminOption interface {
+    <span class="comment">// contains filtered or unexported methods</span>
+}</pre>
     <h2 id="CreatePartitionsAdminOption">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6126:6250#L212">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6314:6438#L221">
       CreatePartitionsAdminOption
      </a>
      <a class="permalink" href="#CreatePartitionsAdminOption">
@@ -2963,7 +3433,7 @@ <h2 id="CreatePartitionsAdminOption">
 }</pre>
     <h2 id="CreateTopicsAdminOption">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=5660:5776#L196">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=5848:5964#L205">
       CreateTopicsAdminOption
      </a>
      <a class="permalink" href="#CreateTopicsAdminOption">
@@ -2979,9 +3449,40 @@ <h2 id="CreateTopicsAdminOption">
     <pre>type CreateTopicsAdminOption interface {
     <span class="comment">// contains filtered or unexported methods</span>
 }</pre>
+    <h2 id="DeleteACLsAdminOption">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=7330:7442#L261">
+      DeleteACLsAdminOption
+     </a>
+     <a class="permalink" href="#DeleteACLsAdminOption">
+      ¶
+     </a>
+    </h2>
+    <p>
+     DeleteACLsAdminOption - see setter.
+    </p>
+    <p>
+     See SetAdminRequestTimeout
+    </p>
+    <pre>type DeleteACLsAdminOption interface {
+    <span class="comment">// contains filtered or unexported methods</span>
+}</pre>
+    <h2 id="DeleteACLsResult">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=20106:20148#L543">
+      DeleteACLsResult
+     </a>
+     <a class="permalink" href="#DeleteACLsResult">
+      ¶
+     </a>
+    </h2>
+    <p>
+     DeleteACLsResult provides delete ACLs result or error information.
+    </p>
+    <pre>type DeleteACLsResult = <a href="#DescribeACLsResult">DescribeACLsResult</a></pre>
     <h2 id="DeleteTopicsAdminOption">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=5880:5996#L204">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6068:6184#L213">
       DeleteTopicsAdminOption
      </a>
      <a class="permalink" href="#DeleteTopicsAdminOption">
@@ -2997,9 +3498,46 @@ <h2 id="DeleteTopicsAdminOption">
     <pre>type DeleteTopicsAdminOption interface {
     <span class="comment">// contains filtered or unexported methods</span>
 }</pre>
+    <h2 id="DescribeACLsAdminOption">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=7140:7256#L253">
+      DescribeACLsAdminOption
+     </a>
+     <a class="permalink" href="#DescribeACLsAdminOption">
+      ¶
+     </a>
+    </h2>
+    <p>
+     DescribeACLsAdminOption - see setter.
+    </p>
+    <p>
+     See SetAdminRequestTimeout
+    </p>
+    <pre>type DescribeACLsAdminOption interface {
+    <span class="comment">// contains filtered or unexported methods</span>
+}</pre>
+    <h2 id="DescribeACLsResult">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=19836:20034#L535">
+      DescribeACLsResult
+     </a>
+     <a class="permalink" href="#DescribeACLsResult">
+      ¶
+     </a>
+    </h2>
+    <p>
+     DescribeACLsResult provides describe ACLs result or error information.
+    </p>
+    <pre>type DescribeACLsResult struct {
+    <span class="comment">// Slice of ACL bindings matching the provided filter</span>
+<span id="DescribeACLsResult.ACLBindings"></span>    ACLBindings <a href="#ACLBindings">ACLBindings</a>
+<span id="DescribeACLsResult.Error"></span>    <span class="comment">// Error, if any, of result. Check with `Error.Code() != ErrNoError`.</span>
+    Error <a href="#Error">Error</a>
+}
+</pre>
     <h2 id="DescribeConfigsAdminOption">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6568:6690#L228">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminoptions.go?s=6756:6878#L237">
       DescribeConfigsAdminOption
      </a>
      <a class="permalink" href="#DescribeConfigsAdminOption">
@@ -3046,7 +3584,7 @@ <h3 id="NewError">
     </p>
     <h3 id="Error.Code">
      func (Error)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=2769:2800#L96">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=2925:2956#L101">
       Code
      </a>
      <a class="permalink" href="#Error.Code">
@@ -3059,7 +3597,7 @@ <h3 id="Error.Code">
     </p>
     <h3 id="Error.Error">
      func (Error)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=2392:2421#L75">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=2548:2577#L80">
       Error
      </a>
      <a class="permalink" href="#Error.Error">
@@ -3073,7 +3611,7 @@ <h3 id="Error.Error">
     </p>
     <h3 id="Error.IsFatal">
      func (Error)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=3044:3073#L104">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=3200:3229#L109">
       IsFatal
      </a>
      <a class="permalink" href="#Error.IsFatal">
@@ -3089,7 +3627,7 @@ <h3 id="Error.IsFatal">
     </p>
     <h3 id="Error.IsRetriable">
      func (Error)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=3252:3285#L111">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=3408:3441#L116">
       IsRetriable
      </a>
      <a class="permalink" href="#Error.IsRetriable">
@@ -3104,7 +3642,7 @@ <h3 id="Error.IsRetriable">
     </p>
     <h3 id="Error.String">
      func (Error)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=2508:2538#L80">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=2664:2694#L85">
       String
      </a>
      <a class="permalink" href="#Error.String">
@@ -3117,7 +3655,7 @@ <h3 id="Error.String">
     </p>
     <h3 id="Error.TxnRequiresAbort">
      func (Error)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=3654:3692#L120">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/error.go?s=3810:3848#L125">
       TxnRequiresAbort
      </a>
      <a class="permalink" href="#Error.TxnRequiresAbort">
@@ -3134,7 +3672,7 @@ <h3 id="Error.TxnRequiresAbort">
     </p>
     <h2 id="ErrorCode">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/generated_errors.go?s=279:297#L1">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/generated_errors.go?s=283:301#L1">
       ErrorCode
      </a>
      <a class="permalink" href="#ErrorCode">
@@ -3467,7 +4005,7 @@ <h2 id="ErrorCode">
 )</pre>
     <h3 id="ErrorCode.String">
      func (ErrorCode)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/generated_errors.go?s=366:400#L4">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/generated_errors.go?s=370:404#L4">
       String
      </a>
      <a class="permalink" href="#ErrorCode.String">
@@ -3930,7 +4468,7 @@ <h2 id="PartitionMetadata">
 </pre>
     <h2 id="PartitionsSpecification">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=2934:3448#L94">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=3606:4120#L115">
       PartitionsSpecification
      </a>
      <a class="permalink" href="#PartitionsSpecification">
@@ -4551,9 +5089,49 @@ <h2 id="RebalanceCb">
 The passed Event will be either AssignedPartitions or RevokedPartitions
     </p>
     <pre>type RebalanceCb func(*<a href="#Consumer">Consumer</a>, <a href="#Event">Event</a>) <a href="//golang.org/pkg/builtin/#error">error</a></pre>
+    <h2 id="ResourcePatternType">
+     type
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=11534:11562#L327">
+      ResourcePatternType
+     </a>
+     <a class="permalink" href="#ResourcePatternType">
+      ¶
+     </a>
+    </h2>
+    <p>
+     ResourcePatternType enumerates the different types of Kafka resource patterns.
+    </p>
+    <pre>type ResourcePatternType <a href="//golang.org/pkg/builtin/#int">int</a></pre>
+    <h3 id="ResourcePatternTypeFromString">
+     func
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=12662:12751#L349">
+      ResourcePatternTypeFromString
+     </a>
+     <a class="permalink" href="#ResourcePatternTypeFromString">
+      ¶
+     </a>
+    </h3>
+    <pre>func ResourcePatternTypeFromString(patternTypeString <a href="//golang.org/pkg/builtin/#string">string</a>) (<a href="#ResourcePatternType">ResourcePatternType</a>, <a href="//golang.org/pkg/builtin/#error">error</a>)</pre>
+    <p>
+     ResourcePatternTypeFromString translates a resource pattern type name to
+a ResourcePatternType value.
+    </p>
+    <h3 id="ResourcePatternType.String">
+     func (ResourcePatternType)
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=12411:12455#L343">
+      String
+     </a>
+     <a class="permalink" href="#ResourcePatternType.String">
+      ¶
+     </a>
+    </h3>
+    <pre>func (t <a href="#ResourcePatternType">ResourcePatternType</a>) String() <a href="//golang.org/pkg/builtin/#string">string</a></pre>
+    <p>
+     String returns the human-readable representation of a ResourcePatternType
+    </p>
     <h2 id="ResourceType">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=3507:3528#L108">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=4179:4200#L129">
       ResourceType
      </a>
      <a class="permalink" href="#ResourceType">
@@ -4566,7 +5144,7 @@ <h2 id="ResourceType">
     <pre>type ResourceType <a href="//golang.org/pkg/builtin/#int">int</a></pre>
     <h3 id="ResourceTypeFromString">
      func
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=4283:4351#L130">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=4955:5023#L151">
       ResourceTypeFromString
      </a>
      <a class="permalink" href="#ResourceTypeFromString">
@@ -4580,7 +5158,7 @@ <h3 id="ResourceTypeFromString">
     </p>
     <h3 id="ResourceType.String">
      func (ResourceType)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=4068:4105#L124">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=4740:4777#L145">
       String
      </a>
      <a class="permalink" href="#ResourceType.String">
@@ -4760,7 +5338,7 @@ <h3 id="TopicPartitions.Swap">
     <pre>func (tps <a href="#TopicPartitions">TopicPartitions</a>) Swap(i, j <a href="//golang.org/pkg/builtin/#int">int</a>)</pre>
     <h2 id="TopicResult">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=1673:1813#L58">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=2345:2485#L79">
       TopicResult
      </a>
      <a class="permalink" href="#TopicResult">
@@ -4779,7 +5357,7 @@ <h2 id="TopicResult">
 </pre>
     <h3 id="TopicResult.String">
      func (TopicResult)
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=1883:1919#L66">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=2555:2591#L87">
       String
      </a>
      <a class="permalink" href="#TopicResult.String">
@@ -4792,7 +5370,7 @@ <h3 id="TopicResult.String">
     </p>
     <h2 id="TopicSpecification">
      type
-     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=2163:2754#L75">
+     <a href="//golang.org/src/github.com/confluentinc/confluent-kafka-go/kafka/adminapi.go?s=2835:3426#L96">
       TopicSpecification
      </a>
      <a class="permalink" href="#TopicSpecification">
diff --git a/kafka/error.go b/kafka/error.go
index 1827f43e1..193e7ea3e 100644
--- a/kafka/error.go
+++ b/kafka/error.go
@@ -67,10 +67,8 @@ func newCErrorFromString(code C.rd_kafka_resp_err_t, str string) (err Error) {
 	return newErrorFromString(ErrorCode(code), str)
 }
 
-// newErrorFromCError creates a new Error instance and destroys
-// the passed cError.
-func newErrorFromCErrorDestroy(cError *C.rd_kafka_error_t) Error {
-	defer C.rd_kafka_error_destroy(cError)
+// newErrorFromCError creates a new Error instance
+func newErrorFromCError(cError *C.rd_kafka_error_t) Error {
 	return Error{
 		code:             ErrorCode(C.rd_kafka_error_code(cError)),
 		str:              C.GoString(C.rd_kafka_error_string(cError)),
@@ -80,6 +78,13 @@ func newErrorFromCErrorDestroy(cError *C.rd_kafka_error_t) Error {
 	}
 }
 
+// newErrorFromCErrorDestroy creates a new Error instance and destroys
+// the passed cError.
+func newErrorFromCErrorDestroy(cError *C.rd_kafka_error_t) Error {
+	defer C.rd_kafka_error_destroy(cError)
+	return newErrorFromCError(cError)
+}
+
 // Error returns a human readable representation of an Error
 // Same as Error.String()
 func (e Error) Error() string {
diff --git a/kafka/integration_test.go b/kafka/integration_test.go
index 917f1a9df..ebb26c32b 100644
--- a/kafka/integration_test.go
+++ b/kafka/integration_test.go
@@ -24,6 +24,7 @@ import (
 	"path"
 	"reflect"
 	"runtime"
+	"sort"
 	"testing"
 	"time"
 )
@@ -1654,3 +1655,197 @@ func TestAdminClient_ControllerID(t *testing.T) {
 
 	t.Logf("ControllerID: %d\n", controllerID)
 }
+
+func TestAdminACLs(t *testing.T) {
+	if !testconfRead() {
+		t.Skipf("Missing testconf.json")
+	}
+
+	rand.Seed(time.Now().Unix())
+	topic := testconf.Topic
+	group := testconf.GroupID
+	noError := NewError(ErrNoError, "", false)
+	unknownError := NewError(ErrUnknown, "Unknown broker error", false)
+	var expectedCreateACLs []CreateACLResult
+	var expectedDescribeACLs DescribeACLsResult
+	var expectedDeleteACLs []DeleteACLsResult
+	var ctx context.Context
+	var cancel context.CancelFunc
+
+	a := createAdminClient(t)
+	defer a.Close()
+
+	maxDuration, err := time.ParseDuration("30s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+	requestTimeout, err := time.ParseDuration("20s")
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+
+	checkExpectedResult := func(expected interface{}, result interface{}) {
+		if !reflect.DeepEqual(result, expected) {
+			t.Fatalf("Expected result to deep equal to %v, but found %v", expected, result)
+		}
+	}
+
+	// Create ACLs
+	t.Logf("Creating ACLs\n")
+	newACLs := ACLBindings{
+		{
+			Type:                ResourceTopic,
+			Name:                topic,
+			ResourcePatternType: ResourcePatternTypeLiteral,
+			Principal:           "User:test-user-1",
+			Host:                "*",
+			Operation:           ACLOperationRead,
+			PermissionType:      ACLPermissionTypeAllow,
+		},
+		{
+			Type:                ResourceTopic,
+			Name:                topic,
+			ResourcePatternType: ResourcePatternTypePrefixed,
+			Principal:           "User:test-user-2",
+			Host:                "*",
+			Operation:           ACLOperationWrite,
+			PermissionType:      ACLPermissionTypeDeny,
+		},
+		{
+			Type:                ResourceGroup,
+			Name:                group,
+			ResourcePatternType: ResourcePatternTypePrefixed,
+			Principal:           "User:test-user-2",
+			Host:                "*",
+			Operation:           ACLOperationAll,
+			PermissionType:      ACLPermissionTypeAllow,
+		},
+	}
+
+	invalidACLs := ACLBindings{
+		{
+			Type:                ResourceTopic,
+			Name:                topic,
+			ResourcePatternType: ResourcePatternTypeLiteral,
+			// Principal must be in the form "{principalType}:{principalName}"
+			// Broker returns ErrUnknown in this case
+			Principal:      "wrong-principal",
+			Host:           "*",
+			Operation:      ACLOperationRead,
+			PermissionType: ACLPermissionTypeAllow,
+		},
+	}
+
+	aclBindingFilters := ACLBindingFilters{
+		{
+			Type:                ResourceAny,
+			ResourcePatternType: ResourcePatternTypeAny,
+			Operation:           ACLOperationAny,
+			PermissionType:      ACLPermissionTypeAny,
+		},
+		{
+			Type:                ResourceAny,
+			ResourcePatternType: ResourcePatternTypePrefixed,
+			Operation:           ACLOperationAny,
+			PermissionType:      ACLPermissionTypeAny,
+		},
+		{
+			Type:                ResourceTopic,
+			ResourcePatternType: ResourcePatternTypeAny,
+			Operation:           ACLOperationAny,
+			PermissionType:      ACLPermissionTypeAny,
+		},
+		{
+			Type:                ResourceGroup,
+			ResourcePatternType: ResourcePatternTypeAny,
+			Operation:           ACLOperationAny,
+			PermissionType:      ACLPermissionTypeAny,
+		},
+	}
+
+	// CreateACLs should be idempotent
+	for n := 0; n < 2; n++ {
+		ctx, cancel = context.WithTimeout(context.Background(), maxDuration)
+		defer cancel()
+
+		resultCreateACLs, err := a.CreateACLs(ctx, newACLs, SetAdminRequestTimeout(requestTimeout))
+		if err != nil {
+			t.Fatalf("CreateACLs() failed: %s", err)
+		}
+		expectedCreateACLs = []CreateACLResult{{Error: noError}, {Error: noError}, {Error: noError}}
+		checkExpectedResult(expectedCreateACLs, resultCreateACLs)
+	}
+
+	// CreateACLs with server side validation errors
+	ctx, cancel = context.WithTimeout(context.Background(), maxDuration)
+	defer cancel()
+
+	resultCreateACLs, err := a.CreateACLs(ctx, invalidACLs, SetAdminRequestTimeout(requestTimeout))
+	if err != nil {
+		t.Fatalf("CreateACLs() failed: %s", err)
+	}
+	expectedCreateACLs = []CreateACLResult{{Error: unknownError}}
+	checkExpectedResult(expectedCreateACLs, resultCreateACLs)
+
+	// DescribeACLs must return the three ACLs
+	ctx, cancel = context.WithTimeout(context.Background(), maxDuration)
+	defer cancel()
+	resultDescribeACLs, err := a.DescribeACLs(ctx, aclBindingFilters[0], SetAdminRequestTimeout(requestTimeout))
+	expectedDescribeACLs = DescribeACLsResult{
+		Error:       noError,
+		ACLBindings: newACLs,
+	}
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+	sort.Sort(&resultDescribeACLs.ACLBindings)
+	checkExpectedResult(expectedDescribeACLs, *resultDescribeACLs)
+
+	// Delete the ACLs with ResourcePatternTypePrefixed
+	ctx, cancel = context.WithTimeout(context.Background(), maxDuration)
+	defer cancel()
+	resultDeleteACLs, err := a.DeleteACLs(ctx, aclBindingFilters[1:2], SetAdminRequestTimeout(requestTimeout))
+	expectedDeleteACLs = []DeleteACLsResult{
+		{
+			Error:       noError,
+			ACLBindings: newACLs[1:3],
+		},
+	}
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+	sort.Sort(&resultDeleteACLs[0].ACLBindings)
+	checkExpectedResult(expectedDeleteACLs, resultDeleteACLs)
+
+	// Delete the ACLs with ResourceTopic and ResourceGroup
+	ctx, cancel = context.WithTimeout(context.Background(), maxDuration)
+	defer cancel()
+	resultDeleteACLs, err = a.DeleteACLs(ctx, aclBindingFilters[2:4], SetAdminRequestTimeout(requestTimeout))
+	expectedDeleteACLs = []DeleteACLsResult{
+		{
+			Error:       noError,
+			ACLBindings: newACLs[0:1],
+		},
+		{
+			Error:       noError,
+			ACLBindings: ACLBindings{},
+		},
+	}
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+	checkExpectedResult(expectedDeleteACLs, resultDeleteACLs)
+
+	// All the ACLs should have been deleted
+	ctx, cancel = context.WithTimeout(context.Background(), maxDuration)
+	defer cancel()
+	resultDescribeACLs, err = a.DescribeACLs(ctx, aclBindingFilters[0], SetAdminRequestTimeout(requestTimeout))
+	expectedDescribeACLs = DescribeACLsResult{
+		Error:       noError,
+		ACLBindings: ACLBindings{},
+	}
+	if err != nil {
+		t.Fatalf("%s", err)
+	}
+	checkExpectedResult(expectedDescribeACLs, *resultDescribeACLs)
+}