You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Derar Alassi <de...@gmail.com> on 2016/09/05 18:38:04 UTC
Authorization with Topic Wildcards
Hi all,
Although the documentation mentions that one can use wildcards with topic
ACLs, I couldn't get that to work. Essentially, I want to set an Allow
Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
give this user Read/Write access to topics com.domain.xyz.abc and
com.domain.xyz.def .
I set an ACL using this command:
./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
--add --allow-principal User:"user01" --topic com.domain.xyz.* --group
group01 --operation read
When I try to consume from the topic com.domain.xyz.abc using the same
user ID and group, I get NOT_AUTHORIZED error.
Anything I am missing?
Thanks,
Derar
Re: Authorization with Topic Wildcards
Posted by Derar Alassi <de...@gmail.com>.
Yes, I am running it from the command line. Zookeeper has *com.domain.xyz.**
under /kafka-acl node. So it looks like it's being added correctly. I
actually allowed some time for ACL propagation to the Kafka brokers.
On Mon, Sep 5, 2016 at 11:42 AM, Tom Crayford <tc...@heroku.com> wrote:
> if you're running that at a bash or similar shell, you need to quote the
> "*" so that bash doesn't expand it as a glob:
>
> ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
> --add --allow-principal User:"user01" --topic 'com.domain.xyz.*' --group
> group01 --operation read
>
> It may be instructive to look at what data is in zookeeper for the acls to
> debug this.
>
> On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > Although the documentation mentions that one can use wildcards with topic
> > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > give this user Read/Write access to topics com.domain.xyz.abc and
> > com.domain.xyz.def .
> >
> > I set an ACL using this command:
> > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> str>
> > --add --allow-principal User:"user01" --topic com.domain.xyz.* --group
> > group01 --operation read
> >
> > When I try to consume from the topic com.domain.xyz.abc using the same
> > user ID and group, I get NOT_AUTHORIZED error.
> >
> > Anything I am missing?
> >
> > Thanks,
> > Derar
> >
>
Re: Authorization with Topic Wildcards
Posted by Tom Crayford <tc...@heroku.com>.
if you're running that at a bash or similar shell, you need to quote the
"*" so that bash doesn't expand it as a glob:
./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
--add --allow-principal User:"user01" --topic 'com.domain.xyz.*' --group
group01 --operation read
It may be instructive to look at what data is in zookeeper for the acls to
debug this.
On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com> wrote:
> Hi all,
>
> Although the documentation mentions that one can use wildcards with topic
> ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> give this user Read/Write access to topics com.domain.xyz.abc and
> com.domain.xyz.def .
>
> I set an ACL using this command:
> ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
> --add --allow-principal User:"user01" --topic com.domain.xyz.* --group
> group01 --operation read
>
> When I try to consume from the topic com.domain.xyz.abc using the same
> user ID and group, I get NOT_AUTHORIZED error.
>
> Anything I am missing?
>
> Thanks,
> Derar
>
Re: Authorization with Topic Wildcards
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Samuel,
I am not aware of a JIRA for it. This has been discussed a few times, but I
don't think anyone is actively working on it.
Ismael
On Tue, Sep 6, 2016 at 7:22 PM, Samuel Taylor <st...@square-root.com>
wrote:
> Is there a ticket to extend wildcard topic ACL support to include the use
> case Derar originally mentioned? And/or are there plans to?
>
> On Mon, Sep 5, 2016 at 3:43 PM, Ismael Juma <is...@juma.me.uk> wrote:
>
> > Hi Derar,
> >
> > The support for wildcards is limited to `*` at this point. Sorry for the
> > confusion. If you're interested to submit a PR to clarify the
> > documentation, that would be great. :)
> >
> > Ismael
> >
> > On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > Although the documentation mentions that one can use wildcards with
> topic
> > > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > > give this user Read/Write access to topics com.domain.xyz.abc and
> > > com.domain.xyz.def .
> > >
> > > I set an ACL using this command:
> > > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> > str>
> > > --add --allow-principal User:"user01" --topic com.domain.xyz.*
> --group
> > > group01 --operation read
> > >
> > > When I try to consume from the topic com.domain.xyz.abc using the same
> > > user ID and group, I get NOT_AUTHORIZED error.
> > >
> > > Anything I am missing?
> > >
> > > Thanks,
> > > Derar
> > >
> >
>
>
>
> --
> *Samuel Taylor*
> Data Science
>
> *Square Root, Inc. <http://square-root.com/>*
> <http://square-root.com/>Square-Root.com <http://square-root.com/>
>
Re: Authorization with Topic Wildcards
Posted by Samuel Taylor <st...@square-root.com>.
Is there a ticket to extend wildcard topic ACL support to include the use
case Derar originally mentioned? And/or are there plans to?
On Mon, Sep 5, 2016 at 3:43 PM, Ismael Juma <is...@juma.me.uk> wrote:
> Hi Derar,
>
> The support for wildcards is limited to `*` at this point. Sorry for the
> confusion. If you're interested to submit a PR to clarify the
> documentation, that would be great. :)
>
> Ismael
>
> On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > Although the documentation mentions that one can use wildcards with topic
> > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > give this user Read/Write access to topics com.domain.xyz.abc and
> > com.domain.xyz.def .
> >
> > I set an ACL using this command:
> > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> str>
> > --add --allow-principal User:"user01" --topic com.domain.xyz.* --group
> > group01 --operation read
> >
> > When I try to consume from the topic com.domain.xyz.abc using the same
> > user ID and group, I get NOT_AUTHORIZED error.
> >
> > Anything I am missing?
> >
> > Thanks,
> > Derar
> >
>
--
*Samuel Taylor*
Data Science
*Square Root, Inc. <http://square-root.com/>*
<http://square-root.com/>Square-Root.com <http://square-root.com/>
Re: Authorization with Topic Wildcards
Posted by Derar Alassi <de...@gmail.com>.
Definitely worth putting it there. I will find some time soon to do it.
This is the least I can do!
Thanks guys for the quick feedback.
Derar
On Mon, Sep 5, 2016 at 1:43 PM, Ismael Juma <is...@juma.me.uk> wrote:
> Hi Derar,
>
> The support for wildcards is limited to `*` at this point. Sorry for the
> confusion. If you're interested to submit a PR to clarify the
> documentation, that would be great. :)
>
> Ismael
>
> On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > Although the documentation mentions that one can use wildcards with topic
> > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > give this user Read/Write access to topics com.domain.xyz.abc and
> > com.domain.xyz.def .
> >
> > I set an ACL using this command:
> > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> str>
> > --add --allow-principal User:"user01" --topic com.domain.xyz.* --group
> > group01 --operation read
> >
> > When I try to consume from the topic com.domain.xyz.abc using the same
> > user ID and group, I get NOT_AUTHORIZED error.
> >
> > Anything I am missing?
> >
> > Thanks,
> > Derar
> >
>
Re: Authorization with Topic Wildcards
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Derar,
The support for wildcards is limited to `*` at this point. Sorry for the
confusion. If you're interested to submit a PR to clarify the
documentation, that would be great. :)
Ismael
On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com> wrote:
> Hi all,
>
> Although the documentation mentions that one can use wildcards with topic
> ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> give this user Read/Write access to topics com.domain.xyz.abc and
> com.domain.xyz.def .
>
> I set an ACL using this command:
> ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
> --add --allow-principal User:"user01" --topic com.domain.xyz.* --group
> group01 --operation read
>
> When I try to consume from the topic com.domain.xyz.abc using the same
> user ID and group, I get NOT_AUTHORIZED error.
>
> Anything I am missing?
>
> Thanks,
> Derar
>