You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by HG <ha...@gmail.com> on 2018/08/23 09:32:09 UTC
Cannot create topics when zookeeper.set.acl=true
Hi,
I have an environment with SSL, SASL and ACL's enabled.
When I set zookeeper.set_acl=true in the server.properties file of the
brokers I cannot create topics , ACL's etc.
[root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
zookeeper.connect=localhost:2181 --add --allow-principal User:admin
--operation All --topic '*' --cluster
Error while executing ACL command: KeeperErrorCode = NoAuth for
/kafka-acl/Topic
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /kafka-acl/Topic
at
org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
..
I have specified super users too in the server.properties.
Any idea's what I am doing wrong?
Regards Hans
Re: Cannot create topics when zookeeper.set.acl=true
Posted by HG <ha...@gmail.com>.
But thanks anyway for the quick answer.
Op do 23 aug. 2018 om 14:38 schreef HG <ha...@gmail.com>:
> Well it works fine when I do :
> export
> "KAFKA_OPTS=-Djava.security.auth.login.config=/u01/kafka/config/kafka_server_jaas.conf"
>
> Op do 23 aug. 2018 om 14:25 schreef Manikumar <ma...@gmail.com>:
>
>> *zk does NOT support PlainLoginModule.*
>>
>> On Thu, Aug 23, 2018 at 5:54 PM Manikumar <ma...@gmail.com>
>> wrote:
>>
>> > No, zk does support PlainLoginModule. while using kafka-acls.sh script
>> > with kerberized zk,
>> > we need to pass required kerberos credentials.
>> >
>> > AdminClient API is an api to perform administrative actions
>> (create/delete
>> > topics, create/delete acls etc..).
>> > This avoids direct communication with zk. Check below links for more
>> > details:
>> >
>> > *
>> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
>> > <
>> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
>> >*
>> > Examples: https://github.com/apache/kafka/pull/5200/files
>> > http://kafka.apache.org/documentation/#adminclientconfigs
>> > To configure SASL/PLAIN on clients:
>> > http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
>> >
>> > On Thu, Aug 23, 2018 at 5:20 PM HG <ha...@gmail.com> wrote:
>> >
>> >> Hi,
>> >>
>> >> I am not using kerberos only
>> >>
>> >> Client {
>> >> org.apache.kafka.common.security.plain.PlainLoginModule required
>> >> username="user"
>> >> password="user-secret";
>> >> };
>> >>
>> >> Does that make a difference?
>> >>
>> >> What do you mean with AdminClient API?
>> >>
>> >> Regards Hans
>> >>
>> >> Op do 23 aug. 2018 om 13:34 schreef Manikumar <
>> manikumar.reddy@gmail.com
>> >> >:
>> >>
>> >> > We can pass jaas conf by exporting below variable before starting the
>> >> > kafka-acls.sh script. another option is to use AdminClient API.
>> >> >
>> >> > export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf
>> >> > -Djava.security.auth.login.config=zk_client_jaas.conf"
>> >> >
>> >> > zk_client_jaas.conf:
>> >> > // Zookeeper client authentication
>> >> > Client {
>> >> > com.sun.security.auth.module.Krb5LoginModule required
>> >> > useKeyTab=true
>> >> > storeKey=true
>> >> > keyTab="/etc/security/keytabs/kafka_server.keytab"
>> >> > principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
>> >> > };
>> >> >
>> >> > On Thu, Aug 23, 2018 at 4:44 PM HG <ha...@gmail.com>
>> wrote:
>> >> >
>> >> > > Hi,
>> >> > >
>> >> > > I searched for an option with which I can provide credentials but I
>> >> did
>> >> > not
>> >> > > find them.
>> >> > > Is there another way to reach the same goal?
>> >> > > Regards Hans
>> >> > >
>> >> > > Op do 23 aug. 2018 om 13:00 schreef Manikumar <
>> >> manikumar.reddy@gmail.com
>> >> > >:
>> >> > >
>> >> > > > "kafka-acls.sh" script communicates directly with zookeeper.
>> >> > > > We should run kafka-acls.sh as kafka user (super user) to get
>> write
>> >> > > > permission on zk.
>> >> > > > We should pass required jaas conf to the script.
>> >> > > >
>> >> > > > On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com>
>> >> wrote:
>> >> > > >
>> >> > > > > Hi,
>> >> > > > >
>> >> > > > > I have an environment with SSL, SASL and ACL's enabled.
>> >> > > > > When I set zookeeper.set_acl=true in the server.properties
>> file of
>> >> > the
>> >> > > > > brokers I cannot create topics , ACL's etc.
>> >> > > > >
>> >> > > > > [root@host201 kafka]# bin/kafka-acls.sh
>> --authorizer-properties
>> >> > > > > zookeeper.connect=localhost:2181 --add --allow-principal
>> >> User:admin
>> >> > > > > --operation All --topic '*' --cluster
>> >> > > > > Error while executing ACL command: KeeperErrorCode = NoAuth for
>> >> > > > > /kafka-acl/Topic
>> >> > > > > org.apache.zookeeper.KeeperException$NoAuthException:
>> >> > KeeperErrorCode =
>> >> > > > > NoAuth for /kafka-acl/Topic
>> >> > > > > at
>> >> > > > >
>> >> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
>> >> > > > > ..
>> >> > > > > I have specified super users too in the server.properties.
>> >> > > > >
>> >> > > > > Any idea's what I am doing wrong?
>> >> > > > >
>> >> > > > > Regards Hans
>> >> > > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> >
>>
>
Re: Cannot create topics when zookeeper.set.acl=true
Posted by HG <ha...@gmail.com>.
Well it works fine when I do :
export
"KAFKA_OPTS=-Djava.security.auth.login.config=/u01/kafka/config/kafka_server_jaas.conf"
Op do 23 aug. 2018 om 14:25 schreef Manikumar <ma...@gmail.com>:
> *zk does NOT support PlainLoginModule.*
>
> On Thu, Aug 23, 2018 at 5:54 PM Manikumar <ma...@gmail.com>
> wrote:
>
> > No, zk does support PlainLoginModule. while using kafka-acls.sh script
> > with kerberized zk,
> > we need to pass required kerberos credentials.
> >
> > AdminClient API is an api to perform administrative actions
> (create/delete
> > topics, create/delete acls etc..).
> > This avoids direct communication with zk. Check below links for more
> > details:
> >
> > *
> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
> > <
> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
> >*
> > Examples: https://github.com/apache/kafka/pull/5200/files
> > http://kafka.apache.org/documentation/#adminclientconfigs
> > To configure SASL/PLAIN on clients:
> > http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
> >
> > On Thu, Aug 23, 2018 at 5:20 PM HG <ha...@gmail.com> wrote:
> >
> >> Hi,
> >>
> >> I am not using kerberos only
> >>
> >> Client {
> >> org.apache.kafka.common.security.plain.PlainLoginModule required
> >> username="user"
> >> password="user-secret";
> >> };
> >>
> >> Does that make a difference?
> >>
> >> What do you mean with AdminClient API?
> >>
> >> Regards Hans
> >>
> >> Op do 23 aug. 2018 om 13:34 schreef Manikumar <
> manikumar.reddy@gmail.com
> >> >:
> >>
> >> > We can pass jaas conf by exporting below variable before starting the
> >> > kafka-acls.sh script. another option is to use AdminClient API.
> >> >
> >> > export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf
> >> > -Djava.security.auth.login.config=zk_client_jaas.conf"
> >> >
> >> > zk_client_jaas.conf:
> >> > // Zookeeper client authentication
> >> > Client {
> >> > com.sun.security.auth.module.Krb5LoginModule required
> >> > useKeyTab=true
> >> > storeKey=true
> >> > keyTab="/etc/security/keytabs/kafka_server.keytab"
> >> > principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
> >> > };
> >> >
> >> > On Thu, Aug 23, 2018 at 4:44 PM HG <ha...@gmail.com> wrote:
> >> >
> >> > > Hi,
> >> > >
> >> > > I searched for an option with which I can provide credentials but I
> >> did
> >> > not
> >> > > find them.
> >> > > Is there another way to reach the same goal?
> >> > > Regards Hans
> >> > >
> >> > > Op do 23 aug. 2018 om 13:00 schreef Manikumar <
> >> manikumar.reddy@gmail.com
> >> > >:
> >> > >
> >> > > > "kafka-acls.sh" script communicates directly with zookeeper.
> >> > > > We should run kafka-acls.sh as kafka user (super user) to get
> write
> >> > > > permission on zk.
> >> > > > We should pass required jaas conf to the script.
> >> > > >
> >> > > > On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com>
> >> wrote:
> >> > > >
> >> > > > > Hi,
> >> > > > >
> >> > > > > I have an environment with SSL, SASL and ACL's enabled.
> >> > > > > When I set zookeeper.set_acl=true in the server.properties file
> of
> >> > the
> >> > > > > brokers I cannot create topics , ACL's etc.
> >> > > > >
> >> > > > > [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
> >> > > > > zookeeper.connect=localhost:2181 --add --allow-principal
> >> User:admin
> >> > > > > --operation All --topic '*' --cluster
> >> > > > > Error while executing ACL command: KeeperErrorCode = NoAuth for
> >> > > > > /kafka-acl/Topic
> >> > > > > org.apache.zookeeper.KeeperException$NoAuthException:
> >> > KeeperErrorCode =
> >> > > > > NoAuth for /kafka-acl/Topic
> >> > > > > at
> >> > > > >
> >> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> >> > > > > ..
> >> > > > > I have specified super users too in the server.properties.
> >> > > > >
> >> > > > > Any idea's what I am doing wrong?
> >> > > > >
> >> > > > > Regards Hans
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
>
Re: Cannot create topics when zookeeper.set.acl=true
Posted by Manikumar <ma...@gmail.com>.
*zk does NOT support PlainLoginModule.*
On Thu, Aug 23, 2018 at 5:54 PM Manikumar <ma...@gmail.com> wrote:
> No, zk does support PlainLoginModule. while using kafka-acls.sh script
> with kerberized zk,
> we need to pass required kerberos credentials.
>
> AdminClient API is an api to perform administrative actions (create/delete
> topics, create/delete acls etc..).
> This avoids direct communication with zk. Check below links for more
> details:
>
> *https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
> <https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html>*
> Examples: https://github.com/apache/kafka/pull/5200/files
> http://kafka.apache.org/documentation/#adminclientconfigs
> To configure SASL/PLAIN on clients:
> http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
>
> On Thu, Aug 23, 2018 at 5:20 PM HG <ha...@gmail.com> wrote:
>
>> Hi,
>>
>> I am not using kerberos only
>>
>> Client {
>> org.apache.kafka.common.security.plain.PlainLoginModule required
>> username="user"
>> password="user-secret";
>> };
>>
>> Does that make a difference?
>>
>> What do you mean with AdminClient API?
>>
>> Regards Hans
>>
>> Op do 23 aug. 2018 om 13:34 schreef Manikumar <manikumar.reddy@gmail.com
>> >:
>>
>> > We can pass jaas conf by exporting below variable before starting the
>> > kafka-acls.sh script. another option is to use AdminClient API.
>> >
>> > export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf
>> > -Djava.security.auth.login.config=zk_client_jaas.conf"
>> >
>> > zk_client_jaas.conf:
>> > // Zookeeper client authentication
>> > Client {
>> > com.sun.security.auth.module.Krb5LoginModule required
>> > useKeyTab=true
>> > storeKey=true
>> > keyTab="/etc/security/keytabs/kafka_server.keytab"
>> > principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
>> > };
>> >
>> > On Thu, Aug 23, 2018 at 4:44 PM HG <ha...@gmail.com> wrote:
>> >
>> > > Hi,
>> > >
>> > > I searched for an option with which I can provide credentials but I
>> did
>> > not
>> > > find them.
>> > > Is there another way to reach the same goal?
>> > > Regards Hans
>> > >
>> > > Op do 23 aug. 2018 om 13:00 schreef Manikumar <
>> manikumar.reddy@gmail.com
>> > >:
>> > >
>> > > > "kafka-acls.sh" script communicates directly with zookeeper.
>> > > > We should run kafka-acls.sh as kafka user (super user) to get write
>> > > > permission on zk.
>> > > > We should pass required jaas conf to the script.
>> > > >
>> > > > On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com>
>> wrote:
>> > > >
>> > > > > Hi,
>> > > > >
>> > > > > I have an environment with SSL, SASL and ACL's enabled.
>> > > > > When I set zookeeper.set_acl=true in the server.properties file of
>> > the
>> > > > > brokers I cannot create topics , ACL's etc.
>> > > > >
>> > > > > [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
>> > > > > zookeeper.connect=localhost:2181 --add --allow-principal
>> User:admin
>> > > > > --operation All --topic '*' --cluster
>> > > > > Error while executing ACL command: KeeperErrorCode = NoAuth for
>> > > > > /kafka-acl/Topic
>> > > > > org.apache.zookeeper.KeeperException$NoAuthException:
>> > KeeperErrorCode =
>> > > > > NoAuth for /kafka-acl/Topic
>> > > > > at
>> > > > >
>> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
>> > > > > ..
>> > > > > I have specified super users too in the server.properties.
>> > > > >
>> > > > > Any idea's what I am doing wrong?
>> > > > >
>> > > > > Regards Hans
>> > > > >
>> > > >
>> > >
>> >
>>
>
Re: Cannot create topics when zookeeper.set.acl=true
Posted by Manikumar <ma...@gmail.com>.
No, zk does support PlainLoginModule. while using kafka-acls.sh script with
kerberized zk,
we need to pass required kerberos credentials.
AdminClient API is an api to perform administrative actions (create/delete
topics, create/delete acls etc..).
This avoids direct communication with zk. Check below links for more
details:
*https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
<https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html>*
Examples: https://github.com/apache/kafka/pull/5200/files
http://kafka.apache.org/documentation/#adminclientconfigs
To configure SASL/PLAIN on clients:
http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
On Thu, Aug 23, 2018 at 5:20 PM HG <ha...@gmail.com> wrote:
> Hi,
>
> I am not using kerberos only
>
> Client {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> username="user"
> password="user-secret";
> };
>
> Does that make a difference?
>
> What do you mean with AdminClient API?
>
> Regards Hans
>
> Op do 23 aug. 2018 om 13:34 schreef Manikumar <ma...@gmail.com>:
>
> > We can pass jaas conf by exporting below variable before starting the
> > kafka-acls.sh script. another option is to use AdminClient API.
> >
> > export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf
> > -Djava.security.auth.login.config=zk_client_jaas.conf"
> >
> > zk_client_jaas.conf:
> > // Zookeeper client authentication
> > Client {
> > com.sun.security.auth.module.Krb5LoginModule required
> > useKeyTab=true
> > storeKey=true
> > keyTab="/etc/security/keytabs/kafka_server.keytab"
> > principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
> > };
> >
> > On Thu, Aug 23, 2018 at 4:44 PM HG <ha...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I searched for an option with which I can provide credentials but I did
> > not
> > > find them.
> > > Is there another way to reach the same goal?
> > > Regards Hans
> > >
> > > Op do 23 aug. 2018 om 13:00 schreef Manikumar <
> manikumar.reddy@gmail.com
> > >:
> > >
> > > > "kafka-acls.sh" script communicates directly with zookeeper.
> > > > We should run kafka-acls.sh as kafka user (super user) to get write
> > > > permission on zk.
> > > > We should pass required jaas conf to the script.
> > > >
> > > > On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com>
> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > I have an environment with SSL, SASL and ACL's enabled.
> > > > > When I set zookeeper.set_acl=true in the server.properties file of
> > the
> > > > > brokers I cannot create topics , ACL's etc.
> > > > >
> > > > > [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
> > > > > zookeeper.connect=localhost:2181 --add --allow-principal
> User:admin
> > > > > --operation All --topic '*' --cluster
> > > > > Error while executing ACL command: KeeperErrorCode = NoAuth for
> > > > > /kafka-acl/Topic
> > > > > org.apache.zookeeper.KeeperException$NoAuthException:
> > KeeperErrorCode =
> > > > > NoAuth for /kafka-acl/Topic
> > > > > at
> > > > >
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> > > > > ..
> > > > > I have specified super users too in the server.properties.
> > > > >
> > > > > Any idea's what I am doing wrong?
> > > > >
> > > > > Regards Hans
> > > > >
> > > >
> > >
> >
>
Re: Cannot create topics when zookeeper.set.acl=true
Posted by HG <ha...@gmail.com>.
Hi,
I am not using kerberos only
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="user"
password="user-secret";
};
Does that make a difference?
What do you mean with AdminClient API?
Regards Hans
Op do 23 aug. 2018 om 13:34 schreef Manikumar <ma...@gmail.com>:
> We can pass jaas conf by exporting below variable before starting the
> kafka-acls.sh script. another option is to use AdminClient API.
>
> export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf
> -Djava.security.auth.login.config=zk_client_jaas.conf"
>
> zk_client_jaas.conf:
> // Zookeeper client authentication
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/etc/security/keytabs/kafka_server.keytab"
> principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
> };
>
> On Thu, Aug 23, 2018 at 4:44 PM HG <ha...@gmail.com> wrote:
>
> > Hi,
> >
> > I searched for an option with which I can provide credentials but I did
> not
> > find them.
> > Is there another way to reach the same goal?
> > Regards Hans
> >
> > Op do 23 aug. 2018 om 13:00 schreef Manikumar <manikumar.reddy@gmail.com
> >:
> >
> > > "kafka-acls.sh" script communicates directly with zookeeper.
> > > We should run kafka-acls.sh as kafka user (super user) to get write
> > > permission on zk.
> > > We should pass required jaas conf to the script.
> > >
> > > On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > I have an environment with SSL, SASL and ACL's enabled.
> > > > When I set zookeeper.set_acl=true in the server.properties file of
> the
> > > > brokers I cannot create topics , ACL's etc.
> > > >
> > > > [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
> > > > zookeeper.connect=localhost:2181 --add --allow-principal User:admin
> > > > --operation All --topic '*' --cluster
> > > > Error while executing ACL command: KeeperErrorCode = NoAuth for
> > > > /kafka-acl/Topic
> > > > org.apache.zookeeper.KeeperException$NoAuthException:
> KeeperErrorCode =
> > > > NoAuth for /kafka-acl/Topic
> > > > at
> > > > org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> > > > ..
> > > > I have specified super users too in the server.properties.
> > > >
> > > > Any idea's what I am doing wrong?
> > > >
> > > > Regards Hans
> > > >
> > >
> >
>
Re: Cannot create topics when zookeeper.set.acl=true
Posted by Manikumar <ma...@gmail.com>.
We can pass jaas conf by exporting below variable before starting the
kafka-acls.sh script. another option is to use AdminClient API.
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf
-Djava.security.auth.login.config=zk_client_jaas.conf"
zk_client_jaas.conf:
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_server.keytab"
principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
};
On Thu, Aug 23, 2018 at 4:44 PM HG <ha...@gmail.com> wrote:
> Hi,
>
> I searched for an option with which I can provide credentials but I did not
> find them.
> Is there another way to reach the same goal?
> Regards Hans
>
> Op do 23 aug. 2018 om 13:00 schreef Manikumar <ma...@gmail.com>:
>
> > "kafka-acls.sh" script communicates directly with zookeeper.
> > We should run kafka-acls.sh as kafka user (super user) to get write
> > permission on zk.
> > We should pass required jaas conf to the script.
> >
> > On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I have an environment with SSL, SASL and ACL's enabled.
> > > When I set zookeeper.set_acl=true in the server.properties file of the
> > > brokers I cannot create topics , ACL's etc.
> > >
> > > [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
> > > zookeeper.connect=localhost:2181 --add --allow-principal User:admin
> > > --operation All --topic '*' --cluster
> > > Error while executing ACL command: KeeperErrorCode = NoAuth for
> > > /kafka-acl/Topic
> > > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> > > NoAuth for /kafka-acl/Topic
> > > at
> > > org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> > > ..
> > > I have specified super users too in the server.properties.
> > >
> > > Any idea's what I am doing wrong?
> > >
> > > Regards Hans
> > >
> >
>
Re: Cannot create topics when zookeeper.set.acl=true
Posted by HG <ha...@gmail.com>.
Hi,
I searched for an option with which I can provide credentials but I did not
find them.
Is there another way to reach the same goal?
Regards Hans
Op do 23 aug. 2018 om 13:00 schreef Manikumar <ma...@gmail.com>:
> "kafka-acls.sh" script communicates directly with zookeeper.
> We should run kafka-acls.sh as kafka user (super user) to get write
> permission on zk.
> We should pass required jaas conf to the script.
>
> On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com> wrote:
>
> > Hi,
> >
> > I have an environment with SSL, SASL and ACL's enabled.
> > When I set zookeeper.set_acl=true in the server.properties file of the
> > brokers I cannot create topics , ACL's etc.
> >
> > [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
> > zookeeper.connect=localhost:2181 --add --allow-principal User:admin
> > --operation All --topic '*' --cluster
> > Error while executing ACL command: KeeperErrorCode = NoAuth for
> > /kafka-acl/Topic
> > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> > NoAuth for /kafka-acl/Topic
> > at
> > org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> > ..
> > I have specified super users too in the server.properties.
> >
> > Any idea's what I am doing wrong?
> >
> > Regards Hans
> >
>
Re: Cannot create topics when zookeeper.set.acl=true
Posted by Manikumar <ma...@gmail.com>.
"kafka-acls.sh" script communicates directly with zookeeper.
We should run kafka-acls.sh as kafka user (super user) to get write
permission on zk.
We should pass required jaas conf to the script.
On Thu, Aug 23, 2018 at 3:02 PM HG <ha...@gmail.com> wrote:
> Hi,
>
> I have an environment with SSL, SASL and ACL's enabled.
> When I set zookeeper.set_acl=true in the server.properties file of the
> brokers I cannot create topics , ACL's etc.
>
> [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --add --allow-principal User:admin
> --operation All --topic '*' --cluster
> Error while executing ACL command: KeeperErrorCode = NoAuth for
> /kafka-acl/Topic
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /kafka-acl/Topic
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> ..
> I have specified super users too in the server.properties.
>
> Any idea's what I am doing wrong?
>
> Regards Hans
>