Kafka's security model is designed to be granular and responsive. The broker's authorizer component intercepts every single client request that involves a resource (e.g., a Produce request to a topic, a Fetch request from a topic, or a Describe request for a consumer group). For each of these requests, the authorizer checks the principal's permissions against the currently defined Access Control Lists (ACLs). This per-request authorization ensures that any changes to ACLs, such as revoking a permission, are enforced immediately on the next client operation, providing a robust and real-time security mechanism.

B. Checking only on the initial access would create a significant security vulnerability, as permissions revoked during a client's session would not be enforced.

C. This is incorrect. While Kafka brokers cache ACLs from ZooKeeper/KRaft to improve performance, the authorization check itself is still performed on every request against the cached ACLs, not skipped for an interval.

D. Authorization is performed on a per-operation basis against specific resources (like topics), not just once when a TCP connection is established.

1. Confluent Documentation, "Authorization using ACLs": "For every request from a client to a broker, the broker checks for the appropriate permissions for the authenticated user. The permissions are based on access control lists (ACLs) that are defined for each resource." This statement explicitly confirms that the check is performed for every request.

Source: Confluent Documentation, Security > Authorization > Authorization using ACLs > How Authorization Works in Kafka.

2. Apache Kafka Documentation, "Security - Authorization": The documentation describes the request processing flow where authorization is a distinct step after authentication for each request. It states, "Kafka has a pluggable Authorizer interface... The Authorizer is used by the broker to authorize an action on a resource." The architecture implies this check is part of the processing logic for every API call that requires authorization.

Source: Apache Kafka Documentation, Section 7.3 Authorization.