You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Sruthi Kumar Annamneedu <sr...@gmail.com> on 2017/07/12 02:21:15 UTC
Kafka authorizer ACLs question
Hi,
I am hoping someone from the community can help me clarify Kafka authorizer
feature.
*Question:* Do I have to set up any property other than '
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer' in
server.properties file to activate ACLs using Kafka Authorizer?
*Background:* We have 3-node Kafka cluster (Cloudera environment). N1, N2,
and N3 for Kafka. On all 3 nodes, I have upated server properties file with
authorizer.class.name and also with 'allow.everyone.if.no.acl.found=false'
properties. Expectation is not to allow anyone to produce/consume message
on a test topic as I have not set up ACLs on test topic yet.
*Actual result:* I am able to produce/consumer messages just like setting
up these two properties. Not exactly sure what I am missing.
*Expected result:* Error message complaining about ACLs are blocking
producing/consuming messages.
Thank you in advance for your time.
Best,
SK
Re: Kafka authorizer ACLs question
Posted by Sruthi Kumar Annamneedu <sr...@gmail.com>.
Hi Vahid,
Thanks for your response. Below are more details:
1. I do not have JAAS file created. The set up I have on 3-node Kafka
cluster is 2-way SSL. Not using Plaintext or SASL as I do not have enabled
Kerberos or Sentry.
2. All 3 nodes server.properties files have:
authorizer.class.name...
listeners=SSL...
security.inter.broker.protocol=SSL
Do not have any sasl* properties in any file
3. Able to change ACLs on topics using authorizer cli and the issue is even
though ACLs exist, anyone was able to Produce/consumer Kafka messages.
Any thoughts on what could be the problem?
Best,
Sruthi Kumar
On Tue, Jul 11, 2017 at 10:45 PM, Vahid S Hashemian <
vahidhashemian@us.ibm.com> wrote:
> Hi SK,
>
> Could you please take a look at this document (
> https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/) and
> confirm you performed the steps in Broker Setup on all brokers?
>
> Thanks.
> --Vahid
>
>
>
> From: Sruthi Kumar Annamneedu <sr...@gmail.com>
> To: users@kafka.apache.org
> Date: 07/11/2017 07:29 PM
> Subject: Kafka authorizer ACLs question
>
>
>
> Hi,
>
> I am hoping someone from the community can help me clarify Kafka
> authorizer
> feature.
>
> *Question:* Do I have to set up any property other than '
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer' in
> server.properties file to activate ACLs using Kafka Authorizer?
>
> *Background:* We have 3-node Kafka cluster (Cloudera environment). N1, N2,
> and N3 for Kafka. On all 3 nodes, I have upated server properties file
> with
> authorizer.class.name and also with 'allow.everyone.if.no.acl.found=false'
> properties. Expectation is not to allow anyone to produce/consume message
> on a test topic as I have not set up ACLs on test topic yet.
>
> *Actual result:* I am able to produce/consumer messages just like setting
> up these two properties. Not exactly sure what I am missing.
>
> *Expected result:* Error message complaining about ACLs are blocking
> producing/consuming messages.
>
> Thank you in advance for your time.
>
> Best,
> SK
>
>
>
>
>
Re: Kafka authorizer ACLs question
Posted by Vahid S Hashemian <va...@us.ibm.com>.
Hi SK,
Could you please take a look at this document (
https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/) and
confirm you performed the steps in Broker Setup on all brokers?
Thanks.
--Vahid
From: Sruthi Kumar Annamneedu <sr...@gmail.com>
To: users@kafka.apache.org
Date: 07/11/2017 07:29 PM
Subject: Kafka authorizer ACLs question
Hi,
I am hoping someone from the community can help me clarify Kafka
authorizer
feature.
*Question:* Do I have to set up any property other than '
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer' in
server.properties file to activate ACLs using Kafka Authorizer?
*Background:* We have 3-node Kafka cluster (Cloudera environment). N1, N2,
and N3 for Kafka. On all 3 nodes, I have upated server properties file
with
authorizer.class.name and also with 'allow.everyone.if.no.acl.found=false'
properties. Expectation is not to allow anyone to produce/consume message
on a test topic as I have not set up ACLs on test topic yet.
*Actual result:* I am able to produce/consumer messages just like setting
up these two properties. Not exactly sure what I am missing.
*Expected result:* Error message complaining about ACLs are blocking
producing/consuming messages.
Thank you in advance for your time.
Best,
SK