Hi Ismael, Ok I got the basic authentication/ACL authorization for SSL working with the principal Kafka.example.com
If that principal isn't in the server.properties as a super user, I was seeing errors on broker startup. In order to add new principals, the server.properties has to be updated and that principal user added to the super user group? How to I run the kafka producer/consumer as a different principal other than Kafka.example.com? Thanks, Chris On Mon, Mar 21, 2016 at 6:54 PM, Ismael Juma <ism...@juma.me.uk> wrote: > Hi Gopal, > > As you suspected, you have to set the appropriate ACLs for it to work. The > following will make the producer work: > > kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \ > --add --allow-principal > "User:CN=kafka.example.com,OU=Client,O=Confluent,L=London,ST=London,C=GB" > \ > --producer --topic securing-kafka > > The following will make the consumer work: > > kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \ > --add --allow-principal > "User:CN=kafka.example.com,OU=Client,O=Confluent,L=London,ST=London,C=GB" > \ > --consumer --topic securing-kafka --group securing-kafka-group > > Enabling the authorizer log is a good way to figure out the principal if > you don't know it. > > Hope this helps, > Ismael > > On Mon, Mar 21, 2016 at 10:27 PM, Raghavan, Gopal <gopal.ragha...@here.com > > > wrote: > > > >Hi Christopher, > > > > >On Mon, Mar 21, 2016 at 3:53 PM, christopher palm <cpa...@gmail.com> > > wrote: > > > > >> Does Kafka support SSL authentication and ACL authorization without > > >> Kerberos? > > >> > > > > >Yes. The following branch modifies the blog example slightly to only > allow > > >SSL authentication. > > > > >https://github.com/confluentinc/securing-kafka-blog/tree/ssl-only > > > > >If so, can different clients have their own SSL certificate on the same > > >> broker? > > >> > > > > >Yes. > > > > > > > > I tried the “ssl-only” branch but am getting the following error: > > > > [vagrant@kafka ~]$ kafka-console-producer --broker-list > > kafka.example.com:9093 --topic securing-kafka --producer.config > > /etc/kafka/producer_ssl.properties > > > > > > > > > > test > > > > > > > > > > [2016-03-21 22:08:46,744] WARN Error while fetching metadata with > > correlation id 0 : {securing-kafka=TOPIC_AUTHORIZATION_FAILED} > > (org.apache.kafka.clients.NetworkClient) > > > > > > > > > > [2016-03-21 22:08:46,748] ERROR Error when sending message to topic > > securing-kafka with key: null, value: 4 bytes with error: Not authorized > to > > access topics: [securing-kafka] > > (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) > > > > > > > > > > I did not set topic level ACL, since I do not know the Principal name to > > use for --allow-principal parameter of kafka-acls > > > > > > Any suggestions ? > > > > > > >In reading the following security article, it seems that Kerberos is an > > >> option but not required if SSL is used. > > >> > > > > >That's right. > > > > >Ismael > > >
