You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Derar Alassi <de...@gmail.com> on 2016/09/05 18:38:04 UTC

Authorization with Topic Wildcards

Hi all,

Although the documentation mentions that one can use wildcards with topic
ACLs, I couldn't get that to work. Essentially, I want to set an Allow
Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
give this user Read/Write access to topics com.domain.xyz.abc and
com.domain.xyz.def .

I set an ACL using this command:
./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
--add --allow-principal User:"user01"   --topic com.domain.xyz.* --group
group01 --operation read

When I try to consume from the topic com.domain.xyz.abc  using the same
user ID and group, I get NOT_AUTHORIZED error.

Anything I am missing?

Thanks,
Derar

Re: Authorization with Topic Wildcards

Posted by Derar Alassi <de...@gmail.com>.

Yes, I am running it from the command line. Zookeeper has *com.domain.xyz.**
under /kafka-acl node. So it looks like it's being added correctly. I
actually allowed some time for ACL propagation to the Kafka brokers.



On Mon, Sep 5, 2016 at 11:42 AM, Tom Crayford <tc...@heroku.com> wrote:

> if you're running that at a bash or similar shell, you need to quote the
> "*" so that bash doesn't expand it as a glob:
>
> ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
> --add --allow-principal User:"user01"   --topic 'com.domain.xyz.*' --group
> group01 --operation read
>
> It may be instructive to look at what data is in zookeeper for the acls to
> debug this.
>
> On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > Although the documentation mentions that one can use wildcards with topic
> > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > give this user Read/Write access to topics com.domain.xyz.abc and
> > com.domain.xyz.def .
> >
> > I set an ACL using this command:
> > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> str>
> > --add --allow-principal User:"user01"   --topic com.domain.xyz.* --group
> > group01 --operation read
> >
> > When I try to consume from the topic com.domain.xyz.abc  using the same
> > user ID and group, I get NOT_AUTHORIZED error.
> >
> > Anything I am missing?
> >
> > Thanks,
> > Derar
> >
>

Re: Authorization with Topic Wildcards

Posted by Tom Crayford <tc...@heroku.com>.

if you're running that at a bash or similar shell, you need to quote the
"*" so that bash doesn't expand it as a glob:

./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
--add --allow-principal User:"user01"   --topic 'com.domain.xyz.*' --group
group01 --operation read

It may be instructive to look at what data is in zookeeper for the acls to
debug this.

On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com> wrote:

> Hi all,
>
> Although the documentation mentions that one can use wildcards with topic
> ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> give this user Read/Write access to topics com.domain.xyz.abc and
> com.domain.xyz.def .
>
> I set an ACL using this command:
> ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
> --add --allow-principal User:"user01"   --topic com.domain.xyz.* --group
> group01 --operation read
>
> When I try to consume from the topic com.domain.xyz.abc  using the same
> user ID and group, I get NOT_AUTHORIZED error.
>
> Anything I am missing?
>
> Thanks,
> Derar
>

Re: Authorization with Topic Wildcards

Posted by Ismael Juma <is...@juma.me.uk>.

Hi Samuel,

I am not aware of a JIRA for it. This has been discussed a few times, but I
don't think anyone is actively working on it.

Ismael

On Tue, Sep 6, 2016 at 7:22 PM, Samuel Taylor <st...@square-root.com>
wrote:

> Is there a ticket to extend wildcard topic ACL support to include the use
> case Derar originally mentioned? And/or are there plans to?
>
> On Mon, Sep 5, 2016 at 3:43 PM, Ismael Juma <is...@juma.me.uk> wrote:
>
> > Hi Derar,
> >
> > The support for wildcards is limited to `*` at this point. Sorry for the
> > confusion. If you're interested to submit a PR to clarify the
> > documentation, that would be great. :)
> >
> > Ismael
> >
> > On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > Although the documentation mentions that one can use wildcards with
> topic
> > > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > > give this user Read/Write access to topics com.domain.xyz.abc and
> > > com.domain.xyz.def .
> > >
> > > I set an ACL using this command:
> > > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> > str>
> > > --add --allow-principal User:"user01"   --topic com.domain.xyz.*
> --group
> > > group01 --operation read
> > >
> > > When I try to consume from the topic com.domain.xyz.abc  using the same
> > > user ID and group, I get NOT_AUTHORIZED error.
> > >
> > > Anything I am missing?
> > >
> > > Thanks,
> > > Derar
> > >
> >
>
>
>
> --
> *Samuel Taylor*
> Data Science
>
> *Square Root, Inc. <http://square-root.com/>*
> <http://square-root.com/>Square-Root.com <http://square-root.com/>
>

Re: Authorization with Topic Wildcards

Posted by Samuel Taylor <st...@square-root.com>.

Is there a ticket to extend wildcard topic ACL support to include the use
case Derar originally mentioned? And/or are there plans to?

On Mon, Sep 5, 2016 at 3:43 PM, Ismael Juma <is...@juma.me.uk> wrote:

> Hi Derar,
>
> The support for wildcards is limited to `*` at this point. Sorry for the
> confusion. If you're interested to submit a PR to clarify the
> documentation, that would be great. :)
>
> Ismael
>
> On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > Although the documentation mentions that one can use wildcards with topic
> > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > give this user Read/Write access to topics com.domain.xyz.abc and
> > com.domain.xyz.def .
> >
> > I set an ACL using this command:
> > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> str>
> > --add --allow-principal User:"user01"   --topic com.domain.xyz.* --group
> > group01 --operation read
> >
> > When I try to consume from the topic com.domain.xyz.abc  using the same
> > user ID and group, I get NOT_AUTHORIZED error.
> >
> > Anything I am missing?
> >
> > Thanks,
> > Derar
> >
>



-- 
*Samuel Taylor*
Data Science

*Square Root, Inc. <http://square-root.com/>*
<http://square-root.com/>Square-Root.com <http://square-root.com/>

Re: Authorization with Topic Wildcards

Posted by Derar Alassi <de...@gmail.com>.

Definitely worth putting it there. I will find some time soon to do it.
This is the least I can do!

Thanks guys for the quick feedback.

Derar

On Mon, Sep 5, 2016 at 1:43 PM, Ismael Juma <is...@juma.me.uk> wrote:

> Hi Derar,
>
> The support for wildcards is limited to `*` at this point. Sorry for the
> confusion. If you're interested to submit a PR to clarify the
> documentation, that would be great. :)
>
> Ismael
>
> On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > Although the documentation mentions that one can use wildcards with topic
> > ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> > Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> > give this user Read/Write access to topics com.domain.xyz.abc and
> > com.domain.xyz.def .
> >
> > I set an ACL using this command:
> > ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-
> str>
> > --add --allow-principal User:"user01"   --topic com.domain.xyz.* --group
> > group01 --operation read
> >
> > When I try to consume from the topic com.domain.xyz.abc  using the same
> > user ID and group, I get NOT_AUTHORIZED error.
> >
> > Anything I am missing?
> >
> > Thanks,
> > Derar
> >
>

Re: Authorization with Topic Wildcards

Posted by Ismael Juma <is...@juma.me.uk>.

Hi Derar,

The support for wildcards is limited to `*` at this point. Sorry for the
confusion. If you're interested to submit a PR to clarify the
documentation, that would be great. :)

Ismael

On Mon, Sep 5, 2016 at 7:38 PM, Derar Alassi <de...@gmail.com> wrote:

> Hi all,
>
> Although the documentation mentions that one can use wildcards with topic
> ACLs, I couldn't get that to work. Essentially, I want to set an Allow
> Read/Write ACL on topics com.domain.xyz.* to a certain user. This would
> give this user Read/Write access to topics com.domain.xyz.abc and
> com.domain.xyz.def .
>
> I set an ACL using this command:
> ./kafka-acls.sh --authorizer-properties zookeeper.connect=<connection-str>
> --add --allow-principal User:"user01"   --topic com.domain.xyz.* --group
> group01 --operation read
>
> When I try to consume from the topic com.domain.xyz.abc  using the same
> user ID and group, I get NOT_AUTHORIZED error.
>
> Anything I am missing?
>
> Thanks,
> Derar
>