You need to set ssl.client.auth="required" in server.properties. Regards,
Rajini On Wed, Dec 14, 2016 at 12:12 AM, Raghu B <raghu98...@gmail.com> wrote: > Hi All, > > I am trying to enable ACL's in my Kafka cluster with along with SSL > Protocol. > > I tried with each and every parameters but no luck, so I need help to > enable the SSL(without Kerberos) and I am attaching all the configuration > details in this. > > Kindly Help me. > > > *I tested SSL without ACL, it worked fine > (listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>)* > > > *This is my Kafka server properties file:* > > *############################# ACL SETTINGS #############################* > > *auto.create.topics.enable=true* > > *authorizer.class.name > <http://authorizer.class.name>=kafka.security.auth.SimpleAclAuthorizer* > > *security.inter.broker.protocol=SSL* > > *#allow.everyone.if.no.acl.found=true* > > *#principal.builder.class=CustomizedPrincipalBuilderClass* > > *#super.users=User:"CN=writeuser,OU=Unknown,O= > Unknown,L=Unknown,ST=Unknown,C=Unknown"* > > *#super.users=User:Raghu;User:Admin* > > *#offsets.storage=kafka* > > *#dual.commit.enabled=true* > > *listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>* > > *#listeners=PLAINTEXT://10.247.195.122:9092 <http://10.247.195.122:9092>* > > *#listeners=PLAINTEXT://10.247.195.122:9092 > <http://10.247.195.122:9092>,SSL://10.247.195.122:9093 > <http://10.247.195.122:9093>* > > *#advertised.listeners=PLAINTEXT://10.247.195.122:9092 > <http://10.247.195.122:9092>* > > > * > ssl.keystore.location=/home/raghu/kafka/security/server.keystore.jks* > > * ssl.keystore.password=123456* > > * ssl.key.password=123456* > > * > ssl.truststore.location=/home/raghu/kafka/security/server.truststore.jks* > > * ssl.truststore.password=123456* > > > > *Set the ACL from Authorizer CLI:* > > > *bin/kafka-acls.sh --authorizer-properties > zookeeper.connect=10.247.195.122:2181 <http://10.247.195.122:2181> --list > --topic ssltopic* > > *Current ACLs for resource `Topic:ssltopic`: * > > * User:CN=writeuser, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, > C=Unknown has Allow permission for operations: Write from hosts: * * > > > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-producer.sh > --broker-list 10.247.195.122:9093 <http://10.247.195.122:9093> --topic > ssltopic --producer.config client-ssl.properties* > > > *[2016-12-13 14:53:45,839] WARN Error while fetching metadata with > correlation id 0 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} > (org.apache.kafka.clients.NetworkClient)* > > *[2016-12-13 14:53:45,984] WARN Error while fetching metadata with > correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} > (org.apache.kafka.clients.NetworkClient)* > > > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ cat client-ssl.properties* > > *#group.id <http://group.id>=sslgroup* > > *security.protocol=SSL* > > *ssl.truststore.location=/Users/rbaddam/Desktop/Dev/ > kafka_2.11-0.10.1.0/ssl/client.truststore.jks* > > *ssl.truststore.password=123456* > > * #Configure Below if you use Client Auth* > > > *ssl.keystore.location=/Users/rbaddam/Desktop/Dev/kafka_2. > 11-0.10.1.0/ssl/client.keystore.jks* > > *ssl.keystore.password=123456* > > *ssl.key.password=123456* > > > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-consumer.sh > --bootstrap-server 10.247.195.122:9093 <http://10.247.195.122:9093> > --new-consumer --consumer.config client-ssl.properties --topic ssltopic > --from-beginning* > > *[2016-12-13 14:53:28,817] WARN Error while fetching metadata with > correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} > (org.apache.kafka.clients.NetworkClient)* > > *[2016-12-13 14:53:28,819] ERROR Unknown error when running consumer: > (kafka.tools.ConsoleConsumer$)* > > *org.apache.kafka.common.errors.GroupAuthorizationException: Not > authorized > to access group: console-consumer-52826* > > > Thanks in advance, > > Raghu - raghu98...@gmail.com >
