You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Raghav <ra...@gmail.com> on 2017/05/19 17:32:34 UTC
ACL with SSL is not working
Hi
I have a SSL setup with Kafka Broker, Producer and Consumer, and it works
fine. I tried to setup ACLs as given on the website. When I start my
producer, I am getting this error:
[root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
kafka-dev1.example.com:9093 --topic test --producer.config
./etc/kafka/producer.properties
HelloWorld
[2017-05-19 10:24:42,437] WARN Error while fetching metadata with
correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
(org.apache.kafka.clients.NetworkClient)
[root@kafka-dev2 KAFKA]#
server config has the following entries
------------------------------------
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:Bob
------------------------------------
When certificate was being generated for Producer (Bob was used in the
CNAME.)
Am I missing something here ? Please help
Thanks.
Raghav
Re: ACL with SSL is not working
Posted by Raghav <ra...@gmail.com>.
Rajini
I tried to add permission for Kafka broker to write. Now I get this error.
Am I missing anything else ?
[2017-05-22 11:11:15,065] WARN Error while fetching metadata with
correlation id 1 : {kafka-testtopic=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2017-05-22 11:11:15,167] WARN Error while fetching metadata with
correlation id 2 : {kafka-testtopic=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2017-05-22 11:11:15,271] WARN Error while fetching metadata with
correlation id 3 : {kafka-testtopic=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
On Mon, May 22, 2017 at 8:02 AM, Rajini Sivaram <ra...@gmail.com>
wrote:
> If you are using auto-create of topics, you also need to grant Create
> access to kaka-cluster.
>
> On Mon, May 22, 2017 at 9:51 AM, Raghav <ra...@gmail.com> wrote:
>
> > Hi Rajini
> >
> > I tried again with IP addresses this time, and I get the following error
> > log for the given ACLS. Is there something wrong in the way I am giving
> > user name ?
> >
> > *List of ACL*
> >
> > [root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties
> > zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2
> > --allow-host 10.10.0.23 --operation Read --operation Write --topic
> > kafka-testtopic
> > Adding ACLs for resource `Topic:kafka-testtopic`:
> > User:CN=kafka2 has Allow permission for operations: Read from
> > hosts: 10.10.0.23
> > User:CN=kafka2 has Allow permission for operations: Write from
> > hosts: 10.10.0.23
> > [root@kafka-dev1 KAFKA]#
> >
> > *Authorizer LOGS*
> >
> > [2017-05-22 06:45:44,520] DEBUG No acl found for resource
> > Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger)
> > [2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Create from host = 10.10.0.23 on resource =
> > Cluster:kafka-cluster (kafka.authorizer.logger)
> >
> > On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <rajinisivaram@gmail.com
> >
> > wrote:
> >
> > > Raghav,
> > >
> > > I don't believe we do reverse DNS lookup for matching ACL hosts. Have
> you
> > > tried defining ACLs with host IP address?
> > >
> > > On Mon, May 22, 2017 at 9:19 AM, Raghav <ra...@gmail.com> wrote:
> > >
> > > > Hi
> > > >
> > > > I enabled the DEBUG logs on Kafka authorizer, and I see the following
> > > logs
> > > > for the given ACLs. Am I missing something in my config here ? Any
> help
> > > is
> > > > greatly appreciated. Thanks.
> > > >
> > > >
> > > > *List of ACL*
> > > >
> > > > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> > > > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> > > > Current ACLs for resource `Topic:kafka-testtopic`:
> > > > User:* has Allow permission for operations: Read from hosts:
> > bin
> > > > User:CN=kafka2 has Allow permission for operations: Write
> from
> > > > hosts: kafka2.example.com
> > > > User:CN=kafka2 has Allow permission for operations: Read from
> > > > hosts: kafka2.example.com
> > > > [root@kafka1 KAFKA]#
> > > >
> > > >
> > > > *Authorizer LOGS*
> > > >
> > > > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > >
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > On Sun, May 21, 2017 at 10:52 PM, Raghav <ra...@gmail.com>
> > wrote:
> > > >
> > > > > I tried all possible ways (including the way you suggested
> Michael),
> > > but
> > > > I
> > > > > still get the same error.
> > > > >
> > > > > Is there a step by step guide to get ACLs working in Kafka with
> SSL ?
> > > > >
> > > > > Thanks.
> > > > >
> > > > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <
> > > MRauter@anexia-it.com>
> > > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> with SSL client authentication the user identifier is the dname of
> > the
> > > > >> certificate
> > > > >>
> > > > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> > > > >>
> > > > >> for example when you want to set an ACL rule (read and write for
> > topic
> > > > >> TOPICNAME from every host):
> > > > >>
> > > > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:
> > 2181
> > > > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> > > > >> --allow-host "*" --operation Read --operation Write --topic
> > TOPICNAME
> > > > >>
> > > > >>
> > > > >> Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
> > > > >>
> > > > >> If it helps, this is how I generated the keystone for my
> client
> > > > >>
> > > > >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> > > > >> kafka-dev2.keystore.jks
> > > > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext
> > SAN=DNS:
> > > > >> kafka-dev2.example.com -storepass 123456
> > > > >>
> > > > >> Anything wrong here ?
> > > > >>
> > > > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <
> raghavastic@gmail.com
> > >
> > > > >> wrote:
> > > > >>
> > > > >> > Hi
> > > > >> >
> > > > >> > I have a SSL setup with Kafka Broker, Producer and Consumer,
> > and
> > > > it
> > > > >> works
> > > > >> > fine. I tried to setup ACLs as given on the website. When I
> > > start
> > > > my
> > > > >> > producer, I am getting this error:
> > > > >> >
> > > > >> >
> > > > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer
> > > --broker-list
> > > > >> > kafka-dev1.example.com:9093 --topic test --producer.config
> > > > >> > ./etc/kafka/producer.properties
> > > > >> >
> > > > >> > HelloWorld
> > > > >> >
> > > > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata
> > > with
> > > > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > > > >> > (org.apache.kafka.clients.NetworkClient)
> > > > >> > [root@kafka-dev2 KAFKA]#
> > > > >> >
> > > > >> >
> > > > >> > server config has the following entries
> > > > >> > ------------------------------------
> > > > >> > authorizer.class.name=kafka.security.auth.
> SimpleAclAuthorizer
> > > > >> > super.users=User:Bob
> > > > >> > ------------------------------------
> > > > >> >
> > > > >> > When certificate was being generated for Producer (Bob was
> > used
> > > in
> > > > >> the
> > > > >> > CNAME.)
> > > > >> >
> > > > >> >
> > > > >> > Am I missing something here ? Please help
> > > > >> >
> > > > >> > Thanks.
> > > > >> >
> > > > >> > Raghav
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Raghav
> > > > >>
> > > > >>
> > > > >>
> > > > >
> > > > >
> > > > > --
> > > > > Raghav
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Raghav
> > > >
> > >
> >
> >
> >
> > --
> > Raghav
> >
>
--
Raghav
Re: ACL with SSL is not working
Posted by Raghav <ra...@gmail.com>.
Hi Rajini
Thanks for input. I think I may have done mistake in granting Create access
to Kafka-cluser. I did as follows, please correct me if this is not right:
[root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
zookeeper.connect=kafka1.example.com:2181 --add --allow-principal
User:CN=kafka1 --operation Create --cluster kafka-cluster
Adding ACLs for resource `Cluster:kafka-cluster`:
User:CN=kafka1 has Allow permission for operations: Create from
hosts: *
Current ACLs for resource `Cluster:kafka-cluster`:
User:CN=kafka1 has Allow permission for operations: Create from
hosts: *
[root@kafka1 KAFKA]#
Thanks.
On Mon, May 22, 2017 at 8:02 AM, Rajini Sivaram <ra...@gmail.com>
wrote:
> If you are using auto-create of topics, you also need to grant Create
> access to kaka-cluster.
>
> On Mon, May 22, 2017 at 9:51 AM, Raghav <ra...@gmail.com> wrote:
>
> > Hi Rajini
> >
> > I tried again with IP addresses this time, and I get the following error
> > log for the given ACLS. Is there something wrong in the way I am giving
> > user name ?
> >
> > *List of ACL*
> >
> > [root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties
> > zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2
> > --allow-host 10.10.0.23 --operation Read --operation Write --topic
> > kafka-testtopic
> > Adding ACLs for resource `Topic:kafka-testtopic`:
> > User:CN=kafka2 has Allow permission for operations: Read from
> > hosts: 10.10.0.23
> > User:CN=kafka2 has Allow permission for operations: Write from
> > hosts: 10.10.0.23
> > [root@kafka-dev1 KAFKA]#
> >
> > *Authorizer LOGS*
> >
> > [2017-05-22 06:45:44,520] DEBUG No acl found for resource
> > Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger)
> > [2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Create from host = 10.10.0.23 on resource =
> > Cluster:kafka-cluster (kafka.authorizer.logger)
> >
> > On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <rajinisivaram@gmail.com
> >
> > wrote:
> >
> > > Raghav,
> > >
> > > I don't believe we do reverse DNS lookup for matching ACL hosts. Have
> you
> > > tried defining ACLs with host IP address?
> > >
> > > On Mon, May 22, 2017 at 9:19 AM, Raghav <ra...@gmail.com> wrote:
> > >
> > > > Hi
> > > >
> > > > I enabled the DEBUG logs on Kafka authorizer, and I see the following
> > > logs
> > > > for the given ACLs. Am I missing something in my config here ? Any
> help
> > > is
> > > > greatly appreciated. Thanks.
> > > >
> > > >
> > > > *List of ACL*
> > > >
> > > > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> > > > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> > > > Current ACLs for resource `Topic:kafka-testtopic`:
> > > > User:* has Allow permission for operations: Read from hosts:
> > bin
> > > > User:CN=kafka2 has Allow permission for operations: Write
> from
> > > > hosts: kafka2.example.com
> > > > User:CN=kafka2 has Allow permission for operations: Read from
> > > > hosts: kafka2.example.com
> > > > [root@kafka1 KAFKA]#
> > > >
> > > >
> > > > *Authorizer LOGS*
> > > >
> > > > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > >
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > On Sun, May 21, 2017 at 10:52 PM, Raghav <ra...@gmail.com>
> > wrote:
> > > >
> > > > > I tried all possible ways (including the way you suggested
> Michael),
> > > but
> > > > I
> > > > > still get the same error.
> > > > >
> > > > > Is there a step by step guide to get ACLs working in Kafka with
> SSL ?
> > > > >
> > > > > Thanks.
> > > > >
> > > > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <
> > > MRauter@anexia-it.com>
> > > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> with SSL client authentication the user identifier is the dname of
> > the
> > > > >> certificate
> > > > >>
> > > > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> > > > >>
> > > > >> for example when you want to set an ACL rule (read and write for
> > topic
> > > > >> TOPICNAME from every host):
> > > > >>
> > > > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:
> > 2181
> > > > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> > > > >> --allow-host "*" --operation Read --operation Write --topic
> > TOPICNAME
> > > > >>
> > > > >>
> > > > >> Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
> > > > >>
> > > > >> If it helps, this is how I generated the keystone for my
> client
> > > > >>
> > > > >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> > > > >> kafka-dev2.keystore.jks
> > > > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext
> > SAN=DNS:
> > > > >> kafka-dev2.example.com -storepass 123456
> > > > >>
> > > > >> Anything wrong here ?
> > > > >>
> > > > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <
> raghavastic@gmail.com
> > >
> > > > >> wrote:
> > > > >>
> > > > >> > Hi
> > > > >> >
> > > > >> > I have a SSL setup with Kafka Broker, Producer and Consumer,
> > and
> > > > it
> > > > >> works
> > > > >> > fine. I tried to setup ACLs as given on the website. When I
> > > start
> > > > my
> > > > >> > producer, I am getting this error:
> > > > >> >
> > > > >> >
> > > > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer
> > > --broker-list
> > > > >> > kafka-dev1.example.com:9093 --topic test --producer.config
> > > > >> > ./etc/kafka/producer.properties
> > > > >> >
> > > > >> > HelloWorld
> > > > >> >
> > > > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata
> > > with
> > > > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > > > >> > (org.apache.kafka.clients.NetworkClient)
> > > > >> > [root@kafka-dev2 KAFKA]#
> > > > >> >
> > > > >> >
> > > > >> > server config has the following entries
> > > > >> > ------------------------------------
> > > > >> > authorizer.class.name=kafka.security.auth.
> SimpleAclAuthorizer
> > > > >> > super.users=User:Bob
> > > > >> > ------------------------------------
> > > > >> >
> > > > >> > When certificate was being generated for Producer (Bob was
> > used
> > > in
> > > > >> the
> > > > >> > CNAME.)
> > > > >> >
> > > > >> >
> > > > >> > Am I missing something here ? Please help
> > > > >> >
> > > > >> > Thanks.
> > > > >> >
> > > > >> > Raghav
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Raghav
> > > > >>
> > > > >>
> > > > >>
> > > > >
> > > > >
> > > > > --
> > > > > Raghav
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Raghav
> > > >
> > >
> >
> >
> >
> > --
> > Raghav
> >
>
--
Raghav
Re: ACL with SSL is not working
Posted by Rajini Sivaram <ra...@gmail.com>.
If you are using auto-create of topics, you also need to grant Create
access to kaka-cluster.
On Mon, May 22, 2017 at 9:51 AM, Raghav <ra...@gmail.com> wrote:
> Hi Rajini
>
> I tried again with IP addresses this time, and I get the following error
> log for the given ACLS. Is there something wrong in the way I am giving
> user name ?
>
> *List of ACL*
>
> [root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties
> zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2
> --allow-host 10.10.0.23 --operation Read --operation Write --topic
> kafka-testtopic
> Adding ACLs for resource `Topic:kafka-testtopic`:
> User:CN=kafka2 has Allow permission for operations: Read from
> hosts: 10.10.0.23
> User:CN=kafka2 has Allow permission for operations: Write from
> hosts: 10.10.0.23
> [root@kafka-dev1 KAFKA]#
>
> *Authorizer LOGS*
>
> [2017-05-22 06:45:44,520] DEBUG No acl found for resource
> Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger)
> [2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Create from host = 10.10.0.23 on resource =
> Cluster:kafka-cluster (kafka.authorizer.logger)
>
> On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <ra...@gmail.com>
> wrote:
>
> > Raghav,
> >
> > I don't believe we do reverse DNS lookup for matching ACL hosts. Have you
> > tried defining ACLs with host IP address?
> >
> > On Mon, May 22, 2017 at 9:19 AM, Raghav <ra...@gmail.com> wrote:
> >
> > > Hi
> > >
> > > I enabled the DEBUG logs on Kafka authorizer, and I see the following
> > logs
> > > for the given ACLs. Am I missing something in my config here ? Any help
> > is
> > > greatly appreciated. Thanks.
> > >
> > >
> > > *List of ACL*
> > >
> > > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> > > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> > > Current ACLs for resource `Topic:kafka-testtopic`:
> > > User:* has Allow permission for operations: Read from hosts:
> bin
> > > User:CN=kafka2 has Allow permission for operations: Write from
> > > hosts: kafka2.example.com
> > > User:CN=kafka2 has Allow permission for operations: Read from
> > > hosts: kafka2.example.com
> > > [root@kafka1 KAFKA]#
> > >
> > >
> > > *Authorizer LOGS*
> > >
> > > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > >
> > >
> > > Thanks.
> > >
> > >
> > > On Sun, May 21, 2017 at 10:52 PM, Raghav <ra...@gmail.com>
> wrote:
> > >
> > > > I tried all possible ways (including the way you suggested Michael),
> > but
> > > I
> > > > still get the same error.
> > > >
> > > > Is there a step by step guide to get ACLs working in Kafka with SSL ?
> > > >
> > > > Thanks.
> > > >
> > > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <
> > MRauter@anexia-it.com>
> > > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> with SSL client authentication the user identifier is the dname of
> the
> > > >> certificate
> > > >>
> > > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> > > >>
> > > >> for example when you want to set an ACL rule (read and write for
> topic
> > > >> TOPICNAME from every host):
> > > >>
> > > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:
> 2181
> > > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> > > >> --allow-host "*" --operation Read --operation Write --topic
> TOPICNAME
> > > >>
> > > >>
> > > >> Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
> > > >>
> > > >> If it helps, this is how I generated the keystone for my client
> > > >>
> > > >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> > > >> kafka-dev2.keystore.jks
> > > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext
> SAN=DNS:
> > > >> kafka-dev2.example.com -storepass 123456
> > > >>
> > > >> Anything wrong here ?
> > > >>
> > > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <raghavastic@gmail.com
> >
> > > >> wrote:
> > > >>
> > > >> > Hi
> > > >> >
> > > >> > I have a SSL setup with Kafka Broker, Producer and Consumer,
> and
> > > it
> > > >> works
> > > >> > fine. I tried to setup ACLs as given on the website. When I
> > start
> > > my
> > > >> > producer, I am getting this error:
> > > >> >
> > > >> >
> > > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer
> > --broker-list
> > > >> > kafka-dev1.example.com:9093 --topic test --producer.config
> > > >> > ./etc/kafka/producer.properties
> > > >> >
> > > >> > HelloWorld
> > > >> >
> > > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata
> > with
> > > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > > >> > (org.apache.kafka.clients.NetworkClient)
> > > >> > [root@kafka-dev2 KAFKA]#
> > > >> >
> > > >> >
> > > >> > server config has the following entries
> > > >> > ------------------------------------
> > > >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > > >> > super.users=User:Bob
> > > >> > ------------------------------------
> > > >> >
> > > >> > When certificate was being generated for Producer (Bob was
> used
> > in
> > > >> the
> > > >> > CNAME.)
> > > >> >
> > > >> >
> > > >> > Am I missing something here ? Please help
> > > >> >
> > > >> > Thanks.
> > > >> >
> > > >> > Raghav
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Raghav
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > > --
> > > > Raghav
> > > >
> > >
> > >
> > >
> > > --
> > > Raghav
> > >
> >
>
>
>
> --
> Raghav
>
Re: ACL with SSL is not working
Posted by Raghav <ra...@gmail.com>.
Hi Rajini
I tried again with IP addresses this time, and I get the following error
log for the given ACLS. Is there something wrong in the way I am giving
user name ?
*List of ACL*
[root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties
zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2
--allow-host 10.10.0.23 --operation Read --operation Write --topic
kafka-testtopic
Adding ACLs for resource `Topic:kafka-testtopic`:
User:CN=kafka2 has Allow permission for operations: Read from
hosts: 10.10.0.23
User:CN=kafka2 has Allow permission for operations: Write from
hosts: 10.10.0.23
[root@kafka-dev1 KAFKA]#
*Authorizer LOGS*
[2017-05-22 06:45:44,520] DEBUG No acl found for resource
Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger)
[2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Create from host = 10.10.0.23 on resource =
Cluster:kafka-cluster (kafka.authorizer.logger)
On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <ra...@gmail.com>
wrote:
> Raghav,
>
> I don't believe we do reverse DNS lookup for matching ACL hosts. Have you
> tried defining ACLs with host IP address?
>
> On Mon, May 22, 2017 at 9:19 AM, Raghav <ra...@gmail.com> wrote:
>
> > Hi
> >
> > I enabled the DEBUG logs on Kafka authorizer, and I see the following
> logs
> > for the given ACLs. Am I missing something in my config here ? Any help
> is
> > greatly appreciated. Thanks.
> >
> >
> > *List of ACL*
> >
> > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> > Current ACLs for resource `Topic:kafka-testtopic`:
> > User:* has Allow permission for operations: Read from hosts: bin
> > User:CN=kafka2 has Allow permission for operations: Write from
> > hosts: kafka2.example.com
> > User:CN=kafka2 has Allow permission for operations: Read from
> > hosts: kafka2.example.com
> > [root@kafka1 KAFKA]#
> >
> >
> > *Authorizer LOGS*
> >
> > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> >
> >
> > Thanks.
> >
> >
> > On Sun, May 21, 2017 at 10:52 PM, Raghav <ra...@gmail.com> wrote:
> >
> > > I tried all possible ways (including the way you suggested Michael),
> but
> > I
> > > still get the same error.
> > >
> > > Is there a step by step guide to get ACLs working in Kafka with SSL ?
> > >
> > > Thanks.
> > >
> > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <
> MRauter@anexia-it.com>
> > > wrote:
> > >
> > >> Hi,
> > >>
> > >> with SSL client authentication the user identifier is the dname of the
> > >> certificate
> > >>
> > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> > >>
> > >> for example when you want to set an ACL rule (read and write for topic
> > >> TOPICNAME from every host):
> > >>
> > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
> > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> > >> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
> > >>
> > >>
> > >> Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
> > >>
> > >> If it helps, this is how I generated the keystone for my client
> > >>
> > >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> > >> kafka-dev2.keystore.jks
> > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
> > >> kafka-dev2.example.com -storepass 123456
> > >>
> > >> Anything wrong here ?
> > >>
> > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <ra...@gmail.com>
> > >> wrote:
> > >>
> > >> > Hi
> > >> >
> > >> > I have a SSL setup with Kafka Broker, Producer and Consumer, and
> > it
> > >> works
> > >> > fine. I tried to setup ACLs as given on the website. When I
> start
> > my
> > >> > producer, I am getting this error:
> > >> >
> > >> >
> > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer
> --broker-list
> > >> > kafka-dev1.example.com:9093 --topic test --producer.config
> > >> > ./etc/kafka/producer.properties
> > >> >
> > >> > HelloWorld
> > >> >
> > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata
> with
> > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > >> > (org.apache.kafka.clients.NetworkClient)
> > >> > [root@kafka-dev2 KAFKA]#
> > >> >
> > >> >
> > >> > server config has the following entries
> > >> > ------------------------------------
> > >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > >> > super.users=User:Bob
> > >> > ------------------------------------
> > >> >
> > >> > When certificate was being generated for Producer (Bob was used
> in
> > >> the
> > >> > CNAME.)
> > >> >
> > >> >
> > >> > Am I missing something here ? Please help
> > >> >
> > >> > Thanks.
> > >> >
> > >> > Raghav
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Raghav
> > >>
> > >>
> > >>
> > >
> > >
> > > --
> > > Raghav
> > >
> >
> >
> >
> > --
> > Raghav
> >
>
--
Raghav
Re: ACL with SSL is not working
Posted by Rajini Sivaram <ra...@gmail.com>.
Raghav,
I don't believe we do reverse DNS lookup for matching ACL hosts. Have you
tried defining ACLs with host IP address?
On Mon, May 22, 2017 at 9:19 AM, Raghav <ra...@gmail.com> wrote:
> Hi
>
> I enabled the DEBUG logs on Kafka authorizer, and I see the following logs
> for the given ACLs. Am I missing something in my config here ? Any help is
> greatly appreciated. Thanks.
>
>
> *List of ACL*
>
> [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> Current ACLs for resource `Topic:kafka-testtopic`:
> User:* has Allow permission for operations: Read from hosts: bin
> User:CN=kafka2 has Allow permission for operations: Write from
> hosts: kafka2.example.com
> User:CN=kafka2 has Allow permission for operations: Read from
> hosts: kafka2.example.com
> [root@kafka1 KAFKA]#
>
>
> *Authorizer LOGS*
>
> [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
> [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
> [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
> [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
>
>
> Thanks.
>
>
> On Sun, May 21, 2017 at 10:52 PM, Raghav <ra...@gmail.com> wrote:
>
> > I tried all possible ways (including the way you suggested Michael), but
> I
> > still get the same error.
> >
> > Is there a step by step guide to get ACLs working in Kafka with SSL ?
> >
> > Thanks.
> >
> > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <MR...@anexia-it.com>
> > wrote:
> >
> >> Hi,
> >>
> >> with SSL client authentication the user identifier is the dname of the
> >> certificate
> >>
> >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> >>
> >> for example when you want to set an ACL rule (read and write for topic
> >> TOPICNAME from every host):
> >>
> >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
> >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> >> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
> >>
> >>
> >> Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
> >>
> >> If it helps, this is how I generated the keystone for my client
> >>
> >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> >> kafka-dev2.keystore.jks
> >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
> >> kafka-dev2.example.com -storepass 123456
> >>
> >> Anything wrong here ?
> >>
> >> On Fri, May 19, 2017 at 10:32 AM, Raghav <ra...@gmail.com>
> >> wrote:
> >>
> >> > Hi
> >> >
> >> > I have a SSL setup with Kafka Broker, Producer and Consumer, and
> it
> >> works
> >> > fine. I tried to setup ACLs as given on the website. When I start
> my
> >> > producer, I am getting this error:
> >> >
> >> >
> >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
> >> > kafka-dev1.example.com:9093 --topic test --producer.config
> >> > ./etc/kafka/producer.properties
> >> >
> >> > HelloWorld
> >> >
> >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
> >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> >> > (org.apache.kafka.clients.NetworkClient)
> >> > [root@kafka-dev2 KAFKA]#
> >> >
> >> >
> >> > server config has the following entries
> >> > ------------------------------------
> >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> >> > super.users=User:Bob
> >> > ------------------------------------
> >> >
> >> > When certificate was being generated for Producer (Bob was used in
> >> the
> >> > CNAME.)
> >> >
> >> >
> >> > Am I missing something here ? Please help
> >> >
> >> > Thanks.
> >> >
> >> > Raghav
> >> >
> >>
> >>
> >>
> >> --
> >> Raghav
> >>
> >>
> >>
> >
> >
> > --
> > Raghav
> >
>
>
>
> --
> Raghav
>
Re: ACL with SSL is not working
Posted by Raghav <ra...@gmail.com>.
Hi
I enabled the DEBUG logs on Kafka authorizer, and I see the following logs
for the given ACLs. Am I missing something in my config here ? Any help is
greatly appreciated. Thanks.
*List of ACL*
[root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
Current ACLs for resource `Topic:kafka-testtopic`:
User:* has Allow permission for operations: Read from hosts: bin
User:CN=kafka2 has Allow permission for operations: Write from
hosts: kafka2.example.com
User:CN=kafka2 has Allow permission for operations: Read from
hosts: kafka2.example.com
[root@kafka1 KAFKA]#
*Authorizer LOGS*
[2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
Thanks.
On Sun, May 21, 2017 at 10:52 PM, Raghav <ra...@gmail.com> wrote:
> I tried all possible ways (including the way you suggested Michael), but I
> still get the same error.
>
> Is there a step by step guide to get ACLs working in Kafka with SSL ?
>
> Thanks.
>
> On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <MR...@anexia-it.com>
> wrote:
>
>> Hi,
>>
>> with SSL client authentication the user identifier is the dname of the
>> certificate
>>
>> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
>>
>> for example when you want to set an ACL rule (read and write for topic
>> TOPICNAME from every host):
>>
>> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
>> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
>> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
>>
>>
>> Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
>>
>> If it helps, this is how I generated the keystone for my client
>>
>> $ keytool -alias kafka-dev2 -validity 365 -keystore
>> kafka-dev2.keystore.jks
>> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
>> kafka-dev2.example.com -storepass 123456
>>
>> Anything wrong here ?
>>
>> On Fri, May 19, 2017 at 10:32 AM, Raghav <ra...@gmail.com>
>> wrote:
>>
>> > Hi
>> >
>> > I have a SSL setup with Kafka Broker, Producer and Consumer, and it
>> works
>> > fine. I tried to setup ACLs as given on the website. When I start my
>> > producer, I am getting this error:
>> >
>> >
>> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
>> > kafka-dev1.example.com:9093 --topic test --producer.config
>> > ./etc/kafka/producer.properties
>> >
>> > HelloWorld
>> >
>> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
>> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
>> > (org.apache.kafka.clients.NetworkClient)
>> > [root@kafka-dev2 KAFKA]#
>> >
>> >
>> > server config has the following entries
>> > ------------------------------------
>> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>> > super.users=User:Bob
>> > ------------------------------------
>> >
>> > When certificate was being generated for Producer (Bob was used in
>> the
>> > CNAME.)
>> >
>> >
>> > Am I missing something here ? Please help
>> >
>> > Thanks.
>> >
>> > Raghav
>> >
>>
>>
>>
>> --
>> Raghav
>>
>>
>>
>
>
> --
> Raghav
>
--
Raghav
Re: ACL with SSL is not working
Posted by Raghav <ra...@gmail.com>.
I tried all possible ways (including the way you suggested Michael), but I
still get the same error.
Is there a step by step guide to get ACLs working in Kafka with SSL ?
Thanks.
On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <MR...@anexia-it.com>
wrote:
> Hi,
>
> with SSL client authentication the user identifier is the dname of the
> certificate
>
> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
>
> for example when you want to set an ACL rule (read and write for topic
> TOPICNAME from every host):
>
> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
>
>
> Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
>
> If it helps, this is how I generated the keystone for my client
>
> $ keytool -alias kafka-dev2 -validity 365 -keystore
> kafka-dev2.keystore.jks
> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
> kafka-dev2.example.com -storepass 123456
>
> Anything wrong here ?
>
> On Fri, May 19, 2017 at 10:32 AM, Raghav <ra...@gmail.com>
> wrote:
>
> > Hi
> >
> > I have a SSL setup with Kafka Broker, Producer and Consumer, and it
> works
> > fine. I tried to setup ACLs as given on the website. When I start my
> > producer, I am getting this error:
> >
> >
> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
> > kafka-dev1.example.com:9093 --topic test --producer.config
> > ./etc/kafka/producer.properties
> >
> > HelloWorld
> >
> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)
> > [root@kafka-dev2 KAFKA]#
> >
> >
> > server config has the following entries
> > ------------------------------------
> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > super.users=User:Bob
> > ------------------------------------
> >
> > When certificate was being generated for Producer (Bob was used in
> the
> > CNAME.)
> >
> >
> > Am I missing something here ? Please help
> >
> > Thanks.
> >
> > Raghav
> >
>
>
>
> --
> Raghav
>
>
>
--
Raghav
Re: ACL with SSL is not working
Posted by Michael Rauter <MR...@anexia-it.com>.
Hi,
with SSL client authentication the user identifier is the dname of the certificate
in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
for example when you want to set an ACL rule (read and write for topic TOPICNAME from every host):
$ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US --allow-host "*" --operation Read --operation Write --topic TOPICNAME
Am 19.05.17, 20:02 schrieb "Raghav" <ra...@gmail.com>:
If it helps, this is how I generated the keystone for my client
$ keytool -alias kafka-dev2 -validity 365 -keystore kafka-dev2.keystore.jks
-dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
kafka-dev2.example.com -storepass 123456
Anything wrong here ?
On Fri, May 19, 2017 at 10:32 AM, Raghav <ra...@gmail.com> wrote:
> Hi
>
> I have a SSL setup with Kafka Broker, Producer and Consumer, and it works
> fine. I tried to setup ACLs as given on the website. When I start my
> producer, I am getting this error:
>
>
> [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
> kafka-dev1.example.com:9093 --topic test --producer.config
> ./etc/kafka/producer.properties
>
> HelloWorld
>
> [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
> correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> (org.apache.kafka.clients.NetworkClient)
> [root@kafka-dev2 KAFKA]#
>
>
> server config has the following entries
> ------------------------------------
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> super.users=User:Bob
> ------------------------------------
>
> When certificate was being generated for Producer (Bob was used in the
> CNAME.)
>
>
> Am I missing something here ? Please help
>
> Thanks.
>
> Raghav
>
--
Raghav
Re: ACL with SSL is not working
Posted by Raghav <ra...@gmail.com>.
If it helps, this is how I generated the keystone for my client
$ keytool -alias kafka-dev2 -validity 365 -keystore kafka-dev2.keystore.jks
-dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
kafka-dev2.example.com -storepass 123456
Anything wrong here ?
On Fri, May 19, 2017 at 10:32 AM, Raghav <ra...@gmail.com> wrote:
> Hi
>
> I have a SSL setup with Kafka Broker, Producer and Consumer, and it works
> fine. I tried to setup ACLs as given on the website. When I start my
> producer, I am getting this error:
>
>
> [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
> kafka-dev1.example.com:9093 --topic test --producer.config
> ./etc/kafka/producer.properties
>
> HelloWorld
>
> [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
> correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> (org.apache.kafka.clients.NetworkClient)
> [root@kafka-dev2 KAFKA]#
>
>
> server config has the following entries
> ------------------------------------
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> super.users=User:Bob
> ------------------------------------
>
> When certificate was being generated for Producer (Bob was used in the
> CNAME.)
>
>
> Am I missing something here ? Please help
>
> Thanks.
>
> Raghav
>
--
Raghav