You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by "Pawley, John" <Jo...@sky.uk> on 2016/04/20 13:08:14 UTC
Authorization Question
Hello,
We have managed to enable the SimpleAuthorizer for Kafka, and we can no longer connect to the local queue without authorization. However we can't figure out how to supply a username when trying to connect from the console producer. We have already added users with permissions via the kafka-acls shell script.
Regards,
John
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
Re: Authorization Question
Posted by Tom Crayford <tc...@heroku.com>.
Note that the SSL username is the subject of the client certificate -
without client certs you don't get custom usernames.
On Wed, Apr 20, 2016 at 2:39 PM, Harsh J <ha...@cloudera.com> wrote:
> Username would need to come in from the authentication layer.
>
> What is your choice of authentication mode? Based on SSL vs. Kerberos,
> you'll need to configure the clients per
> http://kafka.apache.org/documentation.html#security_configclients (SSL)
> which requires using a configuration properties file passed to the console
> producer via --producer.config, or
> http://kafka.apache.org/documentation.html#security_sasl_clientconfig
> (Kerberos/SASL)
> which requires creating a JAAS definition file and passing it to the
> console producer by passing the file into the JVM opts via something like:
>
> ~> export
> KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/valid/JAAS.conf"
> ~> kafka-console-producer.sh (…)
>
> On Wed, 20 Apr 2016 at 16:38 Pawley, John <Jo...@sky.uk> wrote:
>
> > Hello,
> >
> > We have managed to enable the SimpleAuthorizer for Kafka, and we can no
> > longer connect to the local queue without authorization. However we can't
> > figure out how to supply a username when trying to connect from the
> console
> > producer. We have already added users with permissions via the kafka-acls
> > shell script.
> >
> > Regards,
> > John
> > Information in this email including any attachments may be privileged,
> > confidential and is intended exclusively for the addressee. The views
> > expressed may not be official policy, but the personal views of the
> > originator. If you have received it in error, please notify the sender by
> > return e-mail and delete it from your system. You should not reproduce,
> > distribute, store, retransmit, use or disclose its contents to anyone.
> > Please note we reserve the right to monitor all e-mail communication
> > through our internal and external networks. SKY and the SKY marks are
> > trademarks of Sky plc and Sky International AG and are used under
> licence.
> > Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> > (Registration No. 2067075) and Sky Subscribers Services Limited
> > (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc
> > (Registration No. 2247735). All of the companies mentioned in this
> > paragraph are incorporated in England and Wales and share the same
> > registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
> >
>
Re: Authorization Question
Posted by Harsh J <ha...@cloudera.com>.
Username would need to come in from the authentication layer.
What is your choice of authentication mode? Based on SSL vs. Kerberos,
you'll need to configure the clients per
http://kafka.apache.org/documentation.html#security_configclients (SSL)
which requires using a configuration properties file passed to the console
producer via --producer.config, or
http://kafka.apache.org/documentation.html#security_sasl_clientconfig
(Kerberos/SASL)
which requires creating a JAAS definition file and passing it to the
console producer by passing the file into the JVM opts via something like:
~> export
KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/valid/JAAS.conf"
~> kafka-console-producer.sh (…)
On Wed, 20 Apr 2016 at 16:38 Pawley, John <Jo...@sky.uk> wrote:
> Hello,
>
> We have managed to enable the SimpleAuthorizer for Kafka, and we can no
> longer connect to the local queue without authorization. However we can't
> figure out how to supply a username when trying to connect from the console
> producer. We have already added users with permissions via the kafka-acls
> shell script.
>
> Regards,
> John
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky plc and Sky International AG and are used under licence.
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075) and Sky Subscribers Services Limited
> (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc
> (Registration No. 2247735). All of the companies mentioned in this
> paragraph are incorporated in England and Wales and share the same
> registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
>
Re: Authorization Question
Posted by westfox <we...@gmail.com>.
John,
Setup SASL using the username match you set on ACL will work for your case.
you can follow the steps in offical document.
Ping
On Wed, Apr 20, 2016 at 6:08 AM, Pawley, John <Jo...@sky.uk> wrote:
> Hello,
>
> We have managed to enable the SimpleAuthorizer for Kafka, and we can no
> longer connect to the local queue without authorization. However we can't
> figure out how to supply a username when trying to connect from the console
> producer. We have already added users with permissions via the kafka-acls
> shell script.
>
> Regards,
> John
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky plc and Sky International AG and are used under licence.
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075) and Sky Subscribers Services Limited
> (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc
> (Registration No. 2247735). All of the companies mentioned in this
> paragraph are incorporated in England and Wales and share the same
> registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
>