You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Bastien Durel <ba...@data.fr> on 2017/09/26 14:30:38 UTC

ACL for hosts

Hello,

I want to allow any user to consume messages from any host, but
restrict publishing from only one host (and one user), so I think I
need ACLs

I use the default authorizer : 
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

I added the following ACLs to allow anyone to read from anywhere :
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --consumer --topic test --allow-principal 'User:*' --group '*'

And I've verified I can consume messages from any host (using a small
python client)

I then added ACL to permit alice to publish from 127.0.0.1 :
User:alice has Allow permission for operations: All from hosts: 127.0.0.1

And messages posted from localhost (with another python script) flows
to any consumer

But if I add a remote machine ACL :
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --topic test --allow-principal User:alice --allow-host 10.42.42.3
Adding ACLs for resource `Topic:test`: 
 	User:alice has Allow permission for operations: All from hosts: 10.42.42.3 

Current ACLs for resource `Topic:test`: 
 	User:* has Allow permission for operations: Describe from hosts: *
	User:* has Allow permission for operations: Read from hosts: *
	User:alice has Allow permission for operations: All from hosts: 10.42.42.3
	User:alice has Allow permission for operations: All from hosts: 127.0.0.1 

All looks correct but messages sent from this host doesn't flow to
consumer(s).
I can see them leave on the wire, but I get an response wireshark
doesn't know how to decode, but consumers doesn't get anything.

Removing the 127.0.0.1 ACL leads to the same result (messages sent to
(local) wire but not delivered to consumers), but adding it back leads
to the intended behaviour (messages delivered)

I tried with IP, FQDN, hostname ; I cannot get my messages from
10.42.42.3 to get delivered
Except if I add an ACL with --allow-host \* ; in this case messages
from 10.42.42.3 gets delivered.

I use kafka 0.10.2.0

Do you have any clue ? How to debug this issue ?

Thanks,

-- 
Bastien Durel
DATA
Intégration des données de l'entreprise,
Systèmes d'information décisionnels.

bastien.durel@data.fr
tel : +33 (0) 1 57 19 59 28
fax : +33 (0) 1 57 19 59 73
12 avenue Raspail, 94250 GENTILLY France
www.data.fr

Re: ACL for hosts

Posted by Bastien Durel <ba...@data.fr>.

Le mardi 26 septembre 2017 à 16:30 +0200, Bastien Durel a écrit :
> Hello,
> 
> I want to allow any user to consume messages from any host, but
> restrict publishing from only one host (and one user), so I think I
> need ACLs
> 
> I use the default authorizer : 
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> 
> I added the following ACLs to allow anyone to read from anywhere :
> bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --add --consumer --topic test --
> allow-principal 'User:*' --group '*'
> 
> And I've verified I can consume messages from any host (using a small
> python client)
> 
> I then added ACL to permit alice to publish from 127.0.0.1 :
> User:alice has Allow permission for operations: All from hosts:
> 127.0.0.1
> 
> And messages posted from localhost (with another python script) flows
> to any consumer
> 
> But if I add a remote machine ACL :
> bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --add --topic test --allow-principal 
> User:alice --allow-host 10.42.42.3
> Adding ACLs for resource `Topic:test`: 
>  	User:alice has Allow permission for operations: All from
> hosts: 10.42.42.3 
> 
> Current ACLs for resource `Topic:test`: 
>  	User:* has Allow permission for operations: Describe from
> hosts: *
> 	User:* has Allow permission for operations: Read from hosts: *
> 	User:alice has Allow permission for operations: All from hosts:
> 10.42.42.3
> 	User:alice has Allow permission for operations: All from hosts:
> 127.0.0.1 
> 
> All looks correct but messages sent from this host doesn't flow to
> consumer(s).
> I can see them leave on the wire, but I get an response wireshark
> doesn't know how to decode, but consumers doesn't get anything.
> 
> Removing the 127.0.0.1 ACL leads to the same result (messages sent to
> (local) wire but not delivered to consumers), but adding it back
> leads
> to the intended behaviour (messages delivered)
> 
> I tried with IP, FQDN, hostname ; I cannot get my messages from
> 10.42.42.3 to get delivered
> Except if I add an ACL with --allow-host \* ; in this case messages
> from 10.42.42.3 gets delivered.
> 
> I use kafka 0.10.2.0
> 
> Do you have any clue ? How to debug this issue ?
> 
> Thanks,
> 
There is a router that masquerades my IP, that was the problem ...
sorry for the noise

Regards,

-- 
Bastien Durel
DATA
Intégration des données de l'entreprise,
Systèmes d'information décisionnels.

bastien.durel@data.fr
tel : +33 (0) 1 57 19 59 28
fax : +33 (0) 1 57 19 59 73
12 avenue Raspail, 94250 GENTILLY France
www.data.fr