You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Andrew Otto <ot...@wikimedia.org> on 2020/05/18 15:51:42 UTC
Re: ACLs - How To Allow Anyone To Access of A Topic
If I understand correctly, if your client authenticates, there must be an
ACL for that principal, otherwise it will fail authorization.
If you are going to allow everything anyway, perhaps you don't need to
authenticate?
Re: ACLs - How To Allow Anyone To Access of A Topic
Posted by Jun Wang <wj...@hotmail.com>.
It turns out that kafka acls support wildcard principal, I missed this in the document.
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
(principal=User:*, host=*, operation=ALL, permissionType=ALLOW)
It is good now.
________________________________
From: Jun Wang <wj...@hotmail.com>
Sent: Monday, May 18, 2020 2:11 PM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: Re: ACLs - How To Allow Anyone To Access of A Topic
I am testing in a dev. environment, maybe it does not make sense in production.
See my detail explanation below and rephrase of the question:
1. I have mixed authenticated and unauthenticated user in the system.
For example:
listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093
Users comes to port 9092 is unauthenticated thus ANONYMOUS;
Users comes to port 9093 is SASL anthenticated.
2. I want fine-grain access control over topic. so I default allow.everyone.if.no.acl.found=false
3. I want some topic to be private to certain user and some topic public to every one.
|Topic Name |test1 | test2 | test3 |
|----------------+------+--------+-------------|
|ACLs | Bob | Alice | Everyone|
The focus is on ALCs of test3 topic.
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
line 1: (principal=User:ANONYMOUS, host=*, operation=ALL, permissionType=ALLOW)
line 2: (principal=User:bob, host=*, operation=ALL, permissionType=ALLOW) // rule for Bob
line 3: (principal=User:alice, host=*, operation=ALL, permissionType=ALLOW) // rule for Alice
I have to set up explicit rule on line 1 to allow Anonymous access. and line 2 and line 3 for Bob and Alice.
I thought line 1 already covers line 2 and line 3, thus line 2 and line 3 is redundant.
Do we need line 2 and line 3 at all?
Thanks
Jun
________________________________
From: Andrew Otto <ot...@wikimedia.org>
Sent: Monday, May 18, 2020 11:51 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: Re: ACLs - How To Allow Anyone To Access of A Topic
If I understand correctly, if your client authenticates, there must be an
ACL for that principal, otherwise it will fail authorization.
If you are going to allow everything anyway, perhaps you don't need to
authenticate?
Re: ACLs - How To Allow Anyone To Access of A Topic
Posted by Jun Wang <wj...@hotmail.com>.
I am testing in a dev. environment, maybe it does not make sense in production.
See my detail explanation below and rephrase of the question:
1. I have mixed authenticated and unauthenticated user in the system.
For example:
listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093
Users comes to port 9092 is unauthenticated thus ANONYMOUS;
Users comes to port 9093 is SASL anthenticated.
2. I want fine-grain access control over topic. so I default allow.everyone.if.no.acl.found=false
3. I want some topic to be private to certain user and some topic public to every one.
|Topic Name |test1 | test2 | test3 |
|----------------+------+--------+-------------|
|ACLs | Bob | Alice | Everyone|
The focus is on ALCs of test3 topic.
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
line 1: (principal=User:ANONYMOUS, host=*, operation=ALL, permissionType=ALLOW)
line 2: (principal=User:bob, host=*, operation=ALL, permissionType=ALLOW) // rule for Bob
line 3: (principal=User:alice, host=*, operation=ALL, permissionType=ALLOW) // rule for Alice
I have to set up explicit rule on line 1 to allow Anonymous access. and line 2 and line 3 for Bob and Alice.
I thought line 1 already covers line 2 and line 3, thus line 2 and line 3 is redundant.
Do we need line 2 and line 3 at all?
Thanks
Jun
________________________________
From: Andrew Otto <ot...@wikimedia.org>
Sent: Monday, May 18, 2020 11:51 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: Re: ACLs - How To Allow Anyone To Access of A Topic
If I understand correctly, if your client authenticates, there must be an
ACL for that principal, otherwise it will fail authorization.
If you are going to allow everything anyway, perhaps you don't need to
authenticate?