;> could also be secured using SSL.
>>
>> Also remember not use any OS user, anyone user on n\w who can connect to
>> ZK host:port will be able to modify the ACLs.
>>
>> - Shri
>>
>> -Original Message-
>> From: Manoj Murumkar [mailto:manoj.murum
[mailto:manoj.murum...@gmail.com]
> Sent: Thursday, August 31, 2017 11:03 AM
> To: users@kafka.apache.org
> Subject: [EXTERNAL] Re: Using ACLs without Kerberos
>
> * Notice: This email was received from an external source *
>
> >> Current kafka-acls.sh script
.
- Shri
-Original Message-
From: Manoj Murumkar [mailto:manoj.murum...@gmail.com]
Sent: Thursday, August 31, 2017 11:03 AM
To: users@kafka.apache.org
Subject: [EXTERNAL] Re: Using ACLs without Kerberos
* Notice: This email was received from an external source *
>> Current
>> Current kafka-acls.sh script directly contacts zookeeper to create ACLs.
Any OS user who got access to zookeeper can create ACLs for any Kafka
principal.
Thanks for that point. Appreciate it.
On Thu, Aug 31, 2017 at 8:29 AM, Manikumar
wrote:
> There is no correlation between OS user and Kafk
There is no correlation between OS user and Kafka Principal/Username.
Here user name refers to the principal associated with the kafka
communication
channel (Kerberos Principal, SASL/Plain username, Scram username, SSL
certificate)
Current kafka-acls.sh script directly contacts zookeeper to create
Right, I am. Just to be clear, I am using kafka-acl script to define/remove
ACLs as a non-super user and it just works fine. I had expected it to work
only for super users and not for regular users ('nex37045' is a normal
user).
[nex37045@or1010051029033 ~]$ kafka-acls --authorizer
kafka.security.
Looks like you are already using SASL/PLAIN mechanism. Kafka supports SASL
authentication framework.
KAFKA SASL supports GSSAPI (Kerberos), PLAIN or SCRAM mechanisms. you can
enable SSL encryption also
http://kafka.apache.org/documentation.html#security
On Thu, Aug 31, 2017 at 7:28 PM, Manoj Mur
Thanks Manikumar. I am testing the setup documented here:
https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/
(SASL_PLAINTEXT).
I haven't setup any authentication for the tests. Thinking about it,
authentication is a must have for authorization (so, kafka knows who's
making resou
Hi,
Kafka default authorizer is used with secure authenticated channels
(SSL,SASL,SCRAM).
For plain text (non-secure) channels, the principal will be always
ANONYMOUS. Here you can authorize by ip-address.
It's adviced to run on secure channels. you can try SASL/PLAIN or SCRAM
mechanisms with/wit
