You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Jun Wang <wj...@hotmail.com> on 2020/05/18 15:09:51 UTC

ACLs - How To Allow Anyone To Access of A Topic

Hi

I would like to allow anyone to access the a topic even for authenticated user, I assume following ACLs should be sufficient.

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
(principal=User:ANONYMOUS, host=*, operation=ALL, permissionType=ALLOW)

It works for unauthenticated user, But I got "Not authorized to access topics: [test3]"  error for an authenticated User alice,
I have to add specific new rule for User:alice as following in order to get rid of the error:

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
(principal=User:ANONYMOUS, host=*, operation=ALL, permissionType=ALLOW)
(principal=User:alice, host=*, operation=ALL, permissionType=ALLOW)  //new rule

My be the ALCs is not correct.  please let me know if you have any suggestion.

Thanks
Jun

Re: ACLs - How To Allow Anyone To Access of A Topic

Posted by Jun Wang <wj...@hotmail.com>.

It turns out that kafka acls support wildcard principal, I missed this in the document.

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
  (principal=User:*, host=*, operation=ALL, permissionType=ALLOW)

It is good now.

________________________________

From: Jun Wang <wj...@hotmail.com>
Sent: Monday, May 18, 2020 2:11 PM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: Re: ACLs - How To Allow Anyone To Access of A Topic

I am testing in a dev. environment, maybe it does not make sense in production.

See my detail explanation below and rephrase of the question:

1. I have mixed authenticated and unauthenticated user in the system.

For example:
listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093

Users comes to port 9092 is unauthenticated thus ANONYMOUS;
Users comes to port 9093 is SASL anthenticated.

2. I want fine-grain access control over topic. so I default allow.everyone.if.no.acl.found=false

3. I want some topic to be private to certain user and some topic public to every one.

|Topic Name |test1 | test2 | test3        |
|----------------+------+--------+-------------|
|ACLs           | Bob  | Alice | Everyone|

The focus is on ALCs  of test3 topic.

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
line 1: (principal=User:ANONYMOUS, host=*, operation=ALL, permissionType=ALLOW)
line 2: (principal=User:bob, host=*, operation=ALL, permissionType=ALLOW)  // rule for Bob
line 3: (principal=User:alice, host=*, operation=ALL, permissionType=ALLOW)  // rule for Alice

I have to set up explicit rule on line 1 to allow Anonymous access. and line 2 and line 3 for Bob and Alice.

I thought line 1 already covers line 2 and line 3, thus line 2 and line 3 is redundant.
Do we need line 2 and line 3 at all?

Thanks
Jun

________________________________
From: Andrew Otto <ot...@wikimedia.org>
Sent: Monday, May 18, 2020 11:51 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: Re: ACLs - How To Allow Anyone To Access of A Topic

If I understand correctly, if your client authenticates, there must be an
ACL for that principal, otherwise it will fail authorization.

If you are going to allow everything anyway, perhaps you don't need to
authenticate?

Re: ACLs - How To Allow Anyone To Access of A Topic

Posted by Jun Wang <wj...@hotmail.com>.

I am testing in a dev. environment, maybe it does not make sense in production.

See my detail explanation below and rephrase of the question:

1. I have mixed authenticated and unauthenticated user in the system.

For example:
listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093

Users comes to port 9092 is unauthenticated thus ANONYMOUS;
Users comes to port 9093 is SASL anthenticated.

2. I want fine-grain access control over topic. so I default allow.everyone.if.no.acl.found=false

3. I want some topic to be private to certain user and some topic public to every one.

|Topic Name |test1 | test2 | test3        |
|----------------+------+--------+-------------|
|ACLs           | Bob  | Alice | Everyone|

The focus is on ALCs  of test3 topic.

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test3, patternType=LITERAL)`:
line 1: (principal=User:ANONYMOUS, host=*, operation=ALL, permissionType=ALLOW)
line 2: (principal=User:bob, host=*, operation=ALL, permissionType=ALLOW)  // rule for Bob
line 3: (principal=User:alice, host=*, operation=ALL, permissionType=ALLOW)  // rule for Alice

I have to set up explicit rule on line 1 to allow Anonymous access. and line 2 and line 3 for Bob and Alice.

I thought line 1 already covers line 2 and line 3, thus line 2 and line 3 is redundant.
Do we need line 2 and line 3 at all?

Thanks
Jun

________________________________
From: Andrew Otto <ot...@wikimedia.org>
Sent: Monday, May 18, 2020 11:51 AM
To: users@kafka.apache.org <us...@kafka.apache.org>
Subject: Re: ACLs - How To Allow Anyone To Access of A Topic

If I understand correctly, if your client authenticates, there must be an
ACL for that principal, otherwise it will fail authorization.

If you are going to allow everything anyway, perhaps you don't need to
authenticate?

Re: ACLs - How To Allow Anyone To Access of A Topic

Posted by Andrew Otto <ot...@wikimedia.org>.

If I understand correctly, if your client authenticates, there must be an
ACL for that principal, otherwise it will fail authorization.

If you are going to allow everything anyway, perhaps you don't need to
authenticate?