You need to execute kafka-acls.sh with --consumer to enable consumption from kafka.
_________________________________________________ Shrikant Patel | 817.367.4302 Enterprise Architecture Team PDX-NHIN -----Original Message----- From: Raghu B [mailto:raghu98...@gmail.com] Sent: Wednesday, December 14, 2016 5:42 PM To: secur...@kafka.apache.org Subject: Kafka ACL's with SSL Protocol is not working Hi All, I am trying to enable ACL's in my Kafka cluster with along with SSL Protocol. I tried with each and every parameters but no luck, so I need help to enable the SSL(without Kerberos) and I am attaching all the configuration details in this. Kindly Help me. *I tested SSL without ACL, it worked fine (listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>)* *This is my Kafka server properties file:* *############################# ACL SETTINGS #############################* *auto.create.topics.enable=true* *authorizer.class.name <http://authorizer.class.name>=kafka.security.auth.SimpleAclAuthorizer* *security.inter.broker.protocol=SSL* *#allow.everyone.if.no.acl.found=true* *#principal.builder.class=CustomizedPrincipalBuilderClass* *#super.users=User:"CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown"* *#super.users=User:Raghu;User:Admin* *#offsets.storage=kafka* *#dual.commit.enabled=true* *listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>* *#listeners=PLAINTEXT://10.247.195.122:9092 <http://10.247.195.122:9092>* *#listeners=PLAINTEXT://10.247.195.122:9092 <http://10.247.195.122:9092>,SSL://10.247.195.122:9093 <http://10.247.195.122:9093>* *#advertised.listeners=PLAINTEXT://10.247.195.122:9092 <http://10.247.195.122:9092>* * ssl.keystore.location=/home/raghu/kafka/security/server.keystore.jks* * ssl.keystore.password=123456* * ssl.key.password=123456* * ssl.truststore.location=/home/raghu/kafka/security/server.truststore.jks* * ssl.truststore.password=123456* *Set the ACL from Authorizer CLI:* > *bin/kafka-acls.sh --authorizer-properties zookeeper.connect=10.247.195.122:2181 <http://10.247.195.122:2181> --list --topic ssltopic* *Current ACLs for resource `Topic:ssltopic`: * * User:CN=writeuser, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown has Allow permission for operations: Write from hosts: * * *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-producer.sh --broker-list 10.247.195.122:9093 <http://10.247.195.122:9093> --topic ssltopic --producer.config client-ssl.properties* *[2016-12-13 14:53:45,839] WARN Error while fetching metadata with correlation id 0 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)* *[2016-12-13 14:53:45,984] WARN Error while fetching metadata with correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)* *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ cat client-ssl.properties* *#group.id <http://group.id>=sslgroup* *security.protocol=SSL* *ssl.truststore.location=/Users/rbaddam/Desktop/Dev/kafka_2.11-0.10.1.0/ssl/client.truststore.jks* *ssl.truststore.password=123456* * #Configure Below if you use Client Auth* *ssl.keystore.location=/Users/rbaddam/Desktop/Dev/kafka_2.11-0.10.1.0/ssl/client.keystore.jks* *ssl.keystore.password=123456* *ssl.key.password=123456* *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-consumer.sh --bootstrap-server 10.247.195.122:9093 <http://10.247.195.122:9093> --new-consumer --consumer.config client-ssl.properties --topic ssltopic --from-beginning* *[2016-12-13 14:53:28,817] WARN Error while fetching metadata with correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)* *[2016-12-13 14:53:28,819] ERROR Unknown error when running consumer: (kafka.tools.ConsoleConsumer$)* *org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: console-consumer-52826* Thanks in advance, Raghu - raghu98...@gmail.com This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail.
