You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Shrikant (JIRA)" <ji...@apache.org> on 2017/04/01 03:20:41 UTC

[jira] [Created] (KAFKA-4997) Issue with running kafka-acls.sh when using SASL between Kafka and ZK

Shrikant created KAFKA-4997:
-------------------------------

             Summary: Issue with running kafka-acls.sh when using SASL between Kafka and ZK
                 Key: KAFKA-4997
                 URL: https://issues.apache.org/jira/browse/KAFKA-4997
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 0.10.1.1
         Environment: Redhat Enterprise Edition Linux, 
            Reporter: Shrikant
            Priority: Critical


Hi All, 

We are using SASL for Authentication between Kafka and ZK. Followed - https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We have 3 Kafka nodes, on each node, we have principal="kafka/server_no.xxx.com@XXX.COM. So 

On first node in kafka_server_jaas.conf, principal is set to principal="kafka/server1.xxx.com@XXX.COM"
On second node in kafka_server_jaas.conf, principal is set to principal="kafka/server2.xxx.com@XXX.COM"
On third node in kafka_server_jaas.conf, principal is set to principal="kafka/server3.xxx.com@XXX.COM"

When run the kafka-acls.sh command from node 1, its successful. It all works, but after that I cannot run kafka-acls.sh from the other 2 nodes. On the other 2 nodes it fails, with error 

[2017-03-31 18:44:38,629] ERROR Conditional update of path /kafka-acl/Topic/shri-topic with data {"version":1,"acls":[{"principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]} and expected version 0 failed due to org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)

When I look at zookeeper-shell.sh for the kafka-acl node, that node only has permission for principal of first node. I believe this is the reason it does run run ACL, even though those nodes have valid keytabs.  

getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/server1.xxx.com@XXX.COM
: cdrwa

Is it this bug ?? or am I doing something wrong here.       

Thanks,
Shri





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)