The super user is indeed for the broker to be able to do all the things it needs to do. For consumers and producers you can set the correct rights with the acl tool. http://kafka.apache.org/documentation.html#security_authz
On Tue, Mar 22, 2016 at 8:28 PM christopher palm <cpa...@gmail.com> wrote: > Hi Ismael, > > Ok I got the basic authentication/ACL authorization for SSL working with > the principal Kafka.example.com > > If that principal isn't in the server.properties as a super user, I was > seeing errors on broker startup. > > In order to add new principals, the server.properties has to be updated and > that principal user added to the super user group? > > How to I run the kafka producer/consumer as a different principal other > than Kafka.example.com? > > Thanks, > Chris > > On Mon, Mar 21, 2016 at 6:54 PM, Ismael Juma <ism...@juma.me.uk> wrote: > > > Hi Gopal, > > > > As you suspected, you have to set the appropriate ACLs for it to work. > The > > following will make the producer work: > > > > kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \ > > --add --allow-principal > > "User:CN=kafka.example.com > ,OU=Client,O=Confluent,L=London,ST=London,C=GB" > > \ > > --producer --topic securing-kafka > > > > The following will make the consumer work: > > > > kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \ > > --add --allow-principal > > "User:CN=kafka.example.com > ,OU=Client,O=Confluent,L=London,ST=London,C=GB" > > \ > > --consumer --topic securing-kafka --group securing-kafka-group > > > > Enabling the authorizer log is a good way to figure out the principal if > > you don't know it. > > > > Hope this helps, > > Ismael > > > > On Mon, Mar 21, 2016 at 10:27 PM, Raghavan, Gopal < > gopal.ragha...@here.com > > > > > wrote: > > > > > >Hi Christopher, > > > > > > >On Mon, Mar 21, 2016 at 3:53 PM, christopher palm <cpa...@gmail.com> > > > wrote: > > > > > > >> Does Kafka support SSL authentication and ACL authorization without > > > >> Kerberos? > > > >> > > > > > > >Yes. The following branch modifies the blog example slightly to only > > allow > > > >SSL authentication. > > > > > > >https://github.com/confluentinc/securing-kafka-blog/tree/ssl-only > > > > > > >If so, can different clients have their own SSL certificate on the > same > > > >> broker? > > > >> > > > > > > >Yes. > > > > > > > > > > > > I tried the “ssl-only” branch but am getting the following error: > > > > > > [vagrant@kafka ~]$ kafka-console-producer --broker-list > > > kafka.example.com:9093 --topic securing-kafka --producer.config > > > /etc/kafka/producer_ssl.properties > > > > > > > > > > > > > > > test > > > > > > > > > > > > > > > [2016-03-21 22:08:46,744] WARN Error while fetching metadata with > > > correlation id 0 : {securing-kafka=TOPIC_AUTHORIZATION_FAILED} > > > (org.apache.kafka.clients.NetworkClient) > > > > > > > > > > > > > > > [2016-03-21 22:08:46,748] ERROR Error when sending message to topic > > > securing-kafka with key: null, value: 4 bytes with error: Not > authorized > > to > > > access topics: [securing-kafka] > > > (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) > > > > > > > > > > > > > > > I did not set topic level ACL, since I do not know the Principal name > to > > > use for --allow-principal parameter of kafka-acls > > > > > > > > > Any suggestions ? > > > > > > > > > >In reading the following security article, it seems that Kerberos is > an > > > >> option but not required if SSL is used. > > > >> > > > > > > >That's right. > > > > > > >Ismael > > > > > >
