You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Raghu Baddam (JIRA)" <ji...@apache.org> on 2016/12/16 21:18:58 UTC

[jira] [Comment Edited] (KAFKA-3687) Internal Authorization Failure at startup with ACLs and security.inter.broker.protocol=PLAINTEXT

    [ https://issues.apache.org/jira/browse/KAFKA-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15755523#comment-15755523 ] 

Raghu Baddam edited comment on KAFKA-3687 at 12/16/16 9:17 PM:
---------------------------------------------------------------

[~ijuma]: I am using SSL port but still I am getting the above error i.e 

{code}
[2016-12-16 20:56:45,290] DEBUG Principal = User:ANONYMOUS is Denied Operation = Describe from host = 172.28.89.63 on resource = Topic:my-ssl-topic (kafka.authorizer.logger)
{code}

Could you please help me in setting custom user name with SSL, for more details please check below:

{code}
I am trying to enable ACL's in my Kafka cluster with along with SSL Protocol.

I tried with each and every parameters but no luck, so I need help to enable the SSL(without Kerberos) and I am attaching all the configuration details in this.

Kindly Help me.


I tested SSL without ACL, it worked fine (listeners=SSL://10.247.195.122:9093)


This is my Kafka server properties file:

############################# ACL SETTINGS #############################

auto.create.topics.enable=true

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

security.inter.broker.protocol=SSL

#allow.everyone.if.no.acl.found=true

#principal.builder.class=CustomizedPrincipalBuilderClass

#super.users=User:"CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown"

#super.users=User:Raghu;User:Admin

#offsets.storage=kafka

#dual.commit.enabled=true


listeners=SSL://10.247.195.122:9093

#listeners=PLAINTEXT://10.247.195.122:9092

#listeners=PLAINTEXT://10.247.195.122:9092,SSL://10.247.195.122:9093

#advertised.listeners=PLAINTEXT://10.247.195.122:9092



        ssl.keystore.location=/home/raghu/kafka/security/server.keystore.jks

        ssl.keystore.password=123456

        ssl.key.password=123456

        ssl.truststore.location=/home/raghu/kafka/security/server.truststore.jks

        ssl.truststore.password=123456





Set the ACL from Authorizer CLI:

> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=10.247.195.122:2181 --list --topic ssltopic

Current ACLs for resource `Topic:ssltopic`: 

 	User:CN=writeuser, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown has Allow permission for operations: Write from hosts: * 



XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-producer.sh --broker-list 10.247.195.122:9093 --topic ssltopic --producer.config client-ssl.properties



[2016-12-13 14:53:45,839] WARN Error while fetching metadata with correlation id 0 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)

[2016-12-13 14:53:45,984] WARN Error while fetching metadata with correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)



XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ cat client-ssl.properties

#group.id=sslgroup

security.protocol=SSL

ssl.truststore.location=/Users/rbaddam/Desktop/Dev/kafka_2.11-0.10.1.0/ssl/client.truststore.jks

ssl.truststore.password=123456

	#Configure Below if you use Client Auth

ssl.keystore.location=/Users/rbaddam/Desktop/Dev/kafka_2.11-0.10.1.0/ssl/client.keystore.jks

ssl.keystore.password=123456

ssl.key.password=123456



XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-consumer.sh --bootstrap-server 10.247.195.122:9093 --new-consumer --consumer.config client-ssl.properties --topic ssltopic --from-beginning

[2016-12-13 14:53:28,817] WARN Error while fetching metadata with correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)

[2016-12-13 14:53:28,819] ERROR Unknown error when running consumer:  (kafka.tools.ConsoleConsumer$)

org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: console-consumer-52826



Thanks in advance,
Raghu
{code}


was (Author: raghu98499@gmail.com):
[~ijuma]: I am using SSL port but still I am getting the above error i.e 

{code}
[2016-12-16 20:56:45,290] DEBUG Principal = User:ANONYMOUS is Denied Operation = Describe from host = 172.28.89.63 on resource = Topic:my-ssl-topic (kafka.authorizer.logger)
{code}

Could you please help me in setting custom user name with SSL, for more details please check below:

https://www.mail-archive.com/dev@kafka.apache.org/msg62411.html

> Internal Authorization Failure at startup with ACLs and security.inter.broker.protocol=PLAINTEXT
> ------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-3687
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3687
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 0.10.0.0
>            Reporter: Edoardo Comar
>
> The root cause is this failure in the authorizer.log at server startup:
> [] DEBUG Principal = User:ANONYMOUS is Denied Operation = ClusterAction from host = 192.168.10.22 on resource = Cluster:kafka-cluster (kafka.authorizer.logger)
> and has the *consequence that it's impossible to authorize a producer*.
> Steps to reproduce :
> [~mimaison] and I  launched a single broker and a console producer,
> using the SASL_PLAIN authentication between producer and broker.
> Created a topic "testtopic".
> The broker is configured with the SimpleAclAuthorizer
> and the ACL created for the producer is  :
> ./kafkacls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:edo1  --producer --topic testtopic
> which results in :
> Current ACLs for resource `Topic:testtopic`: 
>  	User:edo1 has Allow permission for operations: Write from hosts: *
> 	User:edo1 has Allow permission for operations: Describe from hosts: * 
> Current ACLs for resource `Cluster:kafka-cluster`: 
>  	User:edo1 has Allow permission for operations: Create from hosts: * 
> However running the producer, we got:
> [] WARN Error while fetching metadata with correlation id 0 : {testtopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)
> Looking at the code, the UpdateMedataRequest that the single broker sends to itself on startup, 
> which come through as a request with User:ANONYMOUS get denied by the Authoriser 
> (in KafkaApis.handleUpdateMetadataRequest)
> and the MetadataCache is never updated.
> When the first producer requests come through, in KafkaApis.handleTopicMetadataRequest
> the MetadataCache is empty and so we get UNKNOWN_TOPIC_OR_PARTITION.
> ================================
> configuration used:
> server.properties:
> listeners=PLAINTEXT://:9092,SASL_PLAINTEXT://:9093
> sasl.enabled.mechanisms=PLAIN
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> producer.properties
> bootstrap.servers=localhost:9093
> security.protocol=SASL_PLAINTEXT
> sasl.mechanism=PLAIN
> producer jaas.conf
> KafkaClient {
>   org.apache.kafka.common.security.plain.PlainLoginModule required
>   serviceName="kafka"
>     username="edo1"
>     password="edo1pwd";
> };



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)