Re: Security with SSL and not Kerberos?

Mon, 21 Mar 2016 16:55:47 -0700 

Hi Gopal,

As you suspected, you have to set the appropriate ACLs for it to work. The
following will make the producer work:

kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \
--add --allow-principal
"User:CN=kafka.example.com,OU=Client,O=Confluent,L=London,ST=London,C=GB"
\
--producer --topic securing-kafka

The following will make the consumer work:

kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \
--add --allow-principal
"User:CN=kafka.example.com,OU=Client,O=Confluent,L=London,ST=London,C=GB"
\
--consumer --topic securing-kafka --group securing-kafka-group

Enabling the authorizer log is a good way to figure out the principal if
you don't know it.

Hope this helps,
Ismael

On Mon, Mar 21, 2016 at 10:27 PM, Raghavan, Gopal <gopal.ragha...@here.com>
wrote:

> >Hi Christopher,
>
> >On Mon, Mar 21, 2016 at 3:53 PM, christopher palm <cpa...@gmail.com>
> wrote:
>
> >> Does Kafka support SSL authentication and ACL authorization without
> >> Kerberos?
> >>
>
> >Yes. The following branch modifies the blog example slightly to only allow
> >SSL authentication.
>
> >https://github.com/confluentinc/securing-kafka-blog/tree/ssl-only
>
> >If so, can different clients have their own SSL certificate on the same
> >> broker?
> >>
>
> >Yes.
>
>
>
> I tried the “ssl-only” branch but am getting the following error:
>
> [vagrant@kafka ~]$ kafka-console-producer --broker-list
> kafka.example.com:9093 --topic securing-kafka --producer.config
> /etc/kafka/producer_ssl.properties
>
>
>
>
> test
>
>
>
>
> [2016-03-21 22:08:46,744] WARN Error while fetching metadata with
> correlation id 0 : {securing-kafka=TOPIC_AUTHORIZATION_FAILED}
> (org.apache.kafka.clients.NetworkClient)
>
>
>
>
> [2016-03-21 22:08:46,748] ERROR Error when sending message to topic
> securing-kafka with key: null, value: 4 bytes with error: Not authorized to
> access topics: [securing-kafka]
> (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
>
>
>
>
> I did not set topic level ACL, since I do not know the Principal name to
> use for --allow-principal parameter of kafka-acls
>
>
> Any suggestions ?
>
>
> >In reading the following security article, it seems that Kerberos is an
> >> option but not required if SSL is used.
> >>
>
> >That's right.
>
> >Ismael
>

Reply via email to