You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Richard Bosch <ri...@axual.com> on 2022/09/01 07:58:52 UTC
Re: Trouble with Kafka ACLs upon startup
Hi Matthew,
When you use mTLS you need to set the broker configuration property
super.users=User:Bob;User:Alice
You'll need to set the names to Distinguished Name from the broker client
certificates.
To determine or change the name extraction to set you can check the
section Customizing SSL User Name in the documentation,
https://kafka.apache.org/documentation/#security_authz_ssl
I hope this helps.
Kind regards,
Richard Bosch
Developer Advocate
Axual BV
E : richard.bosch@axual.com
M : +31 6 11 850 846
W : www.axual.com
On Thu, Sep 1, 2022 at 1:13 AM Rabey, Matthew <ma...@linquest.com>
wrote:
> Hopefully this applies to the previous thread I created yesterday.
>
> This ACL problem really seems to be a chicken-and-egg problem. I’ve
> attempted nearly all I can think of and find from documentation in terms of
> disabling “allow.everyone.if.no.acl.found” and also creating topics and
> adding additional ACLs. From the very start of the Kafka broker, it fails
> to change something on the Kafka cluster because of an ACL problem. If I
> set inter-broker communication to mTLS, at least the broker now identifies
> itself (and yes the broker cert has a DN and SAN that both properly
> identify it using FQDN). However, the issues still persist. I cannot
> create ACLs because there are no ACLs explicitly giving the broker the
> ability to modify the ACLs kept on Zookeeper. So I can’t create ACLs
> because no ACLs currently exist. A real conundrum. I can’t get a job
> because I don’t have experience, but in order to get that experience, I
> need a job. So is this a design flaw? Are you FORCED to enable
> “allow.everyone.if.no.acl.found” or something? I have not found anywhere
> that allows me to create an initial set of ACLs to enable a broker to use
> the CLI tools, nor do I see anything in the documentation that would help
> me in this situation. Very few threads covering a topic like this leads me
> to believe that everyone has pretty insecure Kafka servers that only have
> perimeter security. So, I’m at the point where I either enable
> “allow.everyone.if.no.acl.found” and just secure the ANONYMOUS
> authentications to do basically nothing, enable Zookeeper Authentication so
> no further fudging with the internals can be done unless from an
> authenticated user, and create ACLs after everything has started up. Still
> leaves the potential vulnerability of having the
> “allow.everyone.if.no.acl.found”, but I don’t know considering the
> documentation doesn’t really cover it other than at a glance.
>
Re: [EXTERNAL]Re: Trouble with Kafka ACLs upon startup
Posted by "Rabey, Matthew" <ma...@linquest.com>.
Thank you very much, Richard. You confirmed my suspicion that I’d need to use super users for this case. In combination with the --command-config flag providing the appropriate information, my broker was able to create topics and ACLs as an authenticated user.
You’ve saved me quite a bit of hair pulling in frustration.
Matthew Rabey
Staff Software Engineer
[Logo Description automatically generated]
LinQuest Corporation
Space Systems Engineering and Integration
From: Richard Bosch <ri...@axual.com>
Date: Thursday, September 1, 2022 at 12:59 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: [EXTERNAL]Re: Trouble with Kafka ACLs upon startup
Hi Matthew,
When you use mTLS you need to set the broker configuration property
super.users=User:Bob;User:Alice
You'll need to set the names to Distinguished Name from the broker client
certificates.
To determine or change the name extraction to set you can check the
section Customizing SSL User Name in the documentation,
https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fkafka.apache.org%2Fdocumentation%2F%23security_authz_ssl&data=05%7C01%7Cmatthew.rabey%40linquest.com%7C2c5c742fdb984d73be9908da8beff358%7Cbd95e83e0abc4818b9fc646fa98f81a8%7C0%7C0%7C637976159951060407%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RaldC%2B9uugFHTvPITuZ3Kc23vgMfGRpm3Fv748vIKOM%3D&reserved=0
I hope this helps.
Kind regards,
Richard Bosch
Developer Advocate
Axual BV
E : richard.bosch@axual.com
M : +31 6 11 850 846
W : https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.axual.com%2F&data=05%7C01%7Cmatthew.rabey%40linquest.com%7C2c5c742fdb984d73be9908da8beff358%7Cbd95e83e0abc4818b9fc646fa98f81a8%7C0%7C0%7C637976159951217186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=s9fI6YS7YGf8Zd8mS0MOoVkpNvUg8yRK1yHOZFbsiEQ%3D&reserved=0
On Thu, Sep 1, 2022 at 1:13 AM Rabey, Matthew <ma...@linquest.com>
wrote:
> Hopefully this applies to the previous thread I created yesterday.
>
> This ACL problem really seems to be a chicken-and-egg problem. I’ve
> attempted nearly all I can think of and find from documentation in terms of
> disabling “allow.everyone.if.no.acl.found” and also creating topics and
> adding additional ACLs. From the very start of the Kafka broker, it fails
> to change something on the Kafka cluster because of an ACL problem. If I
> set inter-broker communication to mTLS, at least the broker now identifies
> itself (and yes the broker cert has a DN and SAN that both properly
> identify it using FQDN). However, the issues still persist. I cannot
> create ACLs because there are no ACLs explicitly giving the broker the
> ability to modify the ACLs kept on Zookeeper. So I can’t create ACLs
> because no ACLs currently exist. A real conundrum. I can’t get a job
> because I don’t have experience, but in order to get that experience, I
> need a job. So is this a design flaw? Are you FORCED to enable
> “allow.everyone.if.no.acl.found” or something? I have not found anywhere
> that allows me to create an initial set of ACLs to enable a broker to use
> the CLI tools, nor do I see anything in the documentation that would help
> me in this situation. Very few threads covering a topic like this leads me
> to believe that everyone has pretty insecure Kafka servers that only have
> perimeter security. So, I’m at the point where I either enable
> “allow.everyone.if.no.acl.found” and just secure the ANONYMOUS
> authentications to do basically nothing, enable Zookeeper Authentication so
> no further fudging with the internals can be done unless from an
> authenticated user, and create ACLs after everything has started up. Still
> leaves the potential vulnerability of having the
> “allow.everyone.if.no.acl.found”, but I don’t know considering the
> documentation doesn’t really cover it other than at a glance.
>