ssl.truststore.type=JKS
security.protocol=SSL
ssl.client.auth=required
# allow.everyone.if.no.acl.found=false
allow.everyone.if.no.acl.found=true
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:CN=KafkaBroker01
Thanks.
--Darshan
Anyone ?
On Mon, Dec 18, 2017 at 7:25 AM, Darshan
wrote:
> Hi
>
> I am wondering if there is a way to run the SSL and PLAINTEXT mode
> together ? I am running Kafka 10.2.1. We want our internal clients to use
> the PLAINTEXT mode to write to certain topics, but any external clien
ly if ACLs are
programmed for that topic.
Any idea if such a thing exists ?
Thanks.
On Tue, Dec 19, 2017 at 10:10 PM, Jaikiran Pai
wrote:
> What exact issue are you running into with thta configs?
>
> -Jaikiran
>
>
>
> On 20/12/17 7:24 AM, Darshan wrote:
>
>> Anyon
pe=JKS
ssl.truststore.type=JKS
security.protocol=SSL
ssl.client.auth=required
allow.everyone.if.no.acl.found=false
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:CN=Kafka1
Can you please point out if anything needs to be modified ?
Many thanks.
--Darshan
On Wed,
cer configs
> look like? What exact exception, error or DEBUG logs do you see when you
> attempt this?
>
> We do use a similar setup, so I do know that such a configuration works
> fine.
>
> -Jaikiran
>
>
>
> On 21/12/17 1:49 AM, Darshan wrote:
>
>> Hi Jaik
ot support mixed mode but there is a backdoor
> zookeeper.properties config attribute that allows plaintext clients to
> bypass sasl auth)
>
> ?
>
> Martin
> __
>
>
>
>
> From: Darshan
ore.type=JKSsecurity.protocol=SSLssl.client.auth=requiredallow.everyone.if.no.acl.found=falseauthorizer.class.name
<http://authorizer.class.name/>=kafka.security.auth.SimpleAclAuthorizersuper.users=User:CN=Kafka1*
On Tue, Apr 3, 2018 at 10:42 PM, Manikumar
wrote:
> @Darshan,
> For PLAINTE
alue across all brokers.
>
> sh kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
> --add --allow-principal User:ANONYMOUS --allow-host \* --operation Read
> --topic test
>
> On Thu, Apr 5, 2018 at 2:39 AM, Darshan
> wrote:
>
>> Hi Manikumar
>>
Hi
KIP-226 is released in 1.1. I had a questions about it.
If we add a new certificate (programmatically) in the truststore that Kafka
Broker is using it, do we need to issue any CLI or other command for Kafka
broker to read the new certificate or with KIP-226 everything happens
automatically ?
Hi Rajini
1. Oh so truststores can't be be updated dynamically ? Is it planned for
any future release?
2. By dynamically updated, do you mean that if Broker was using keystore A,
we can now point it to use a different keystore B ?
Thanks.
On Wed, Apr 18, 2018 at 10:51 PM, Darshan
java.net.ConnectException: Connection refused
Does anyone know any known caveats or gotchas while upgrading Kafka version
?
Thanks.
--Darshan
Hi
I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic
reconfiguration of SSL truststores"
https://issues.apache.org/jira/browse/KAFKA-6810. But unfortunately I could
not get it work. Please find the server.properties. Just wondering if we
need an change of config. Please advis
I edited the email subject since it was not correct. Thanks.
On Thu, May 16, 2019 at 2:08 PM Darshan wrote:
> Hi
>
> I am testing out Kafka 2.2.0 and was hoping to test out "Enable dynamic
> reconfiguration of SSL truststores"
> https://issues.apache.org/ji
Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore
> <
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration#KIP-226-DynamicBrokerConfiguration-SSLkeystore
> >
>
>
> > On May 16, 2019, at 2:08 PM, Darshan
> wrote:
&
Hi
We are on Kafka 1.1.1. We add bunch of new entries (say ~ 10 new entries)
in truststore and restart for Kafka to read the truststore file. Everything
works fine.
We wanted to move to Kafka 2.0.x to get this new features, wherein we can
dynamically remove something from truststore. Let's say, w
icate any
client. Just wondering how we can use the CRL or OCSP (Online Certificate
Status Protocol) with Kafka ? I couldn't find any documentation around it,
so I thought of asking the community.
Any help would be appreciated.
Thanks.
--Darshan
Hi
Our Kafka broker has two IPs on two different interfaces.
eth0 has 172.x.x.x for external leg
eth1 has 1.x.x.x for internal leg
Kafka Producer is on 172.x.x.x subnet, and Kafka Consumer is on 1.x.x.x
subnet.
If we use advertised.listeners=SSL://172.x.x.x:9093, then Producer can
producer the
>
> On Wed, May 31, 2017 at 6:22 PM, Raghav wrote:
>
> > Hello Darshan
> >
> > Have you tried SSL://0.0.0.0:9093 ?
> >
> > Rajani had suggested something similar to me a week back while I was
> > trying to get a ACL based setup.
> >
> > Than
Raghav
I saw few posts of yours around Kafka ACLs and the problems. I have seen
similar issues where Writer has not been able to write to any topic. I have
seen "leader not available" and sometimes "unknown topic or partition", and
"topic_authorization_failed" error.
Let me know if you find a val
19 matches
Mail list logo
