Restrict access on kafka with multiple listener

[Matt L <ma...@gmail.com>]

Hi,

I have an existing Kafka Cluster that is configured as PLAINTEXT. We want
to enable SASL (GSSAPI) as an additional listener.

Is there a way to force specific topics to only accept traffic (pub/con)
from a certain listener?

e.g. if i create a topic and set ACLS, how do i stop a client from using
the PLAINTEXT protocol and publishing and consuming to that topic

Thanks,

Re: Restrict access on kafka with multiple listener

[Harsha <ka...@harsha.io>]

There is no listener to topic mappings right now. But you can run two listeners one PLAINTEXT and another SASL. Configure your authorizer to allow anonymous read/write on topics that are public and the topics you want to protect give a explicit ACL to principal names. This will protect any read/writes on the secure topics and it will reject any request on PLAINTEXT port for these topics  as AuthorizationException and rest of the topics you can continue access through both the ports.

-Harsha

On Tue, Jul 17, 2018, at 5:09 PM, Matt L wrote:
> Hi,
> 
> I have an existing Kafka Cluster that is configured as PLAINTEXT. We want
> to enable SASL (GSSAPI) as an additional listener.
> 
> Is there a way to force specific topics to only accept traffic
> (publish/consume) from a certain listener?
> 
> e.g. if i create a topic and set ACLS, how do i stop a client from using
> the PLAINTEXT protocol and publishing and consuming to that topic
> 
> Thanks!

Re: Restrict access on kafka with multiple listener

[Matt L <ma...@gmail.com>]

Hi,

I have an existing Kafka Cluster that is configured as PLAINTEXT. We want
to enable SASL (GSSAPI) as an additional listener.

Is there a way to force specific topics to only accept traffic
(publish/consume) from a certain listener?

e.g. if i create a topic and set ACLS, how do i stop a client from using
the PLAINTEXT protocol and publishing and consuming to that topic

Thanks!