If you can put the acl in a file, and there will be little or none changes, you might be best of writing your own Authorizer implementation. If you can used a shared file system to store the config you would even be able to easily change it, and it will be the same across the cluster.
On Thu, Jun 9, 2016 at 5:54 AM Harsha <ka...@harsha.io> wrote: > 1) Can the ACLs be specified statically in a config file of sorts? Or is > bin/kafka-acl.sh or a similar kafka client API the only way to specify > the > ACLs? > > kafka-acls.sh executes simpleAClAuthorizer and the only way it accepts > acls is via command-line params. > > > 2) I notice that bin/kafka-acl.sh takes an argument to specify > zookeeper, > but doesn't seem to have a mechanism to specify any other authentication > constructs. Does that mean anyone can point to my zookeeper instance and > add/remove the ACLs? > > simpleAClAuthorizer uses zookeeper as ACL storage. Remember in kerberos > secure mode we highly recommend to turn on zookeeper.set.acl . This will > put "sasl:principal_name" acls on zookeeper nodes. Here principal_name > is the broker's principal. > So one has to login with that principal name to make changes to any of > the zookeeper nodes. > Only the users who has access to the broker's keytab can modify > zookeeper nodes. > > 3) I'd like to use SSL certificates for Authentication and ACLs, but > don't > wont to use encryption over the wire because of latency concerns > mentioned > here: https://issues.apache.org/jira/browse/KAFKA-2561 > Is that supported? Any instructions? > > openSSL is not supported yet. Also dropping the encryption in SSL > channel is not possible yet. > Any reason for not use kerberos for this since we support non-encrypted > channel for kerberos. > > > Thanks, > harsha > > > On Wed, Jun 8, 2016, at 02:06 PM, Samir Shah wrote: > > Hello, > > > > Few questions on Kafka Security. > > > > 1) Can the ACLs be specified statically in a config file of sorts? Or is > > bin/kafka-acl.sh or a similar kafka client API the only way to specify > > the > > ACLs? > > > > 2) I notice that bin/kafka-acl.sh takes an argument to specify zookeeper, > > but doesn't seem to have a mechanism to specify any other authentication > > constructs. Does that mean anyone can point to my zookeeper instance and > > add/remove the ACLs? > > > > 3) I'd like to use SSL certificates for Authentication and ACLs, but > > don't > > wont to use encryption over the wire because of latency concerns > > mentioned > > here: https://issues.apache.org/jira/browse/KAFKA-2561 > > Is that supported? Any instructions? > > > > Thanks in advance. > > - Samir >
