You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Soyee Deng (JIRA)" <ji...@apache.org> on 2018/05/30 23:50:00 UTC

[jira] [Created] (KAFKA-6972) Kafka ACL does not work expected with wildcard

Soyee Deng created KAFKA-6972:
---------------------------------

             Summary: Kafka ACL does not work expected with wildcard
                 Key: KAFKA-6972
                 URL: https://issues.apache.org/jira/browse/KAFKA-6972
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 0.11.0.0
         Environment: OS : CentOS 7, 64bit.

Confluent : 3.3, Kafka 0.11.
            Reporter: Soyee Deng


Just started with Confluent 3.3 platform and Kafka 0.11 with SSL as transportation security and Kerberos to restrict the access control based on the holding principals. In order to make life easier, wildcard is extensively used in my environment. But it turned out that is not working as expected. 

 

My issue is that when I run the command _kafka-acls_ under one directory with some files, this command would pick up the name of first file name as the topic name or group name. e.g. In my case, abcd.txt would be chosen while giving my principal the permissions of consuming message from any topic with any group Id.

[quality@data-pipeline-1 test_dir]$ KAFKA_OPTS=-Djava.security.auth.login.config='/etc/security/jaas/broker-jaas.conf' kafka-acls --authorizer-properties zookeeper.connect=data-pipeline-1.orion.com:2181 --add --allow-principal User:connect-consumer --consumer --topic * --group *
Adding ACLs for resource `Topic:abcd.txt`:
 User:connect-consumer has Allow permission for operations: Describe from hosts: *
 User:connect-consumer has Allow permission for operations: Read from hosts: *

Adding ACLs for resource `Group:abcd.txt`:
 User:connect-consumer has Allow permission for operations: Read from hosts: *

Current ACLs for resource `Topic:abcd.txt`:
 User:connect-consumer has Allow permission for operations: Describe from hosts: *
 User:connect-consumer has Allow permission for operations: Read from hosts: *
 User:connect-consumer has Allow permission for operations: Write from hosts: *

Current ACLs for resource `Group:abcd.txt`:
 User:connect-consumer has Allow permission for operations: Read from hosts: *

 

My current work around solution is to go another empty directory and run above command, it works as expected. 

 

 

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)