In jass config, Client section is used to authenticate a SASL connection with zookeeper. It is necessary to have the same principal name across all brokers.
http://kafka.apache.org/documentation.html#security_jaas_broker On Sat, Apr 1, 2017 at 5:50 AM, Shrikant Patel <spa...@pdxinc.com> wrote: > Hi All, > > We using SASL for Authentication between Kafka and ZK. Followed - > https://www.confluent.io/blog/apache-kafka-security- > authorization-authentication-encryption/ > > We have 3 Kafka node, on each node, we have principal="kafka/server_no. > xxx....@xxx.com. So > > On first node in kafka_server_jaas.conf, principal is set to > principal="kafka/server1.xxx....@xxx.com" > On second node in kafka_server_jaas.conf, principal is set to > principal="kafka/server2.xxx....@xxx.com" > On third node in kafka_server_jaas.conf, principal is set to > principal="kafka/server3.xxx....@xxx.com" > > When runt the ACL command from node 1, it successful. It all works, but I > cannot run ACL from other 2 nodes. On other 2 nodes it fails, with error > > [2017-03-31 18:44:38,629] ERROR Conditional update of path > /kafka-acl/Topic/shri-topic with data {"version":1,"acls":[{" > principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx, > C=xx","permissionType":"Allow","operation":"Describe","host" > :"*"},{"principal":"User:CN=spatel-lt,OU=arch,O=pdx inc,L=fort > worth,ST=tx,C=us","permissionType":"Allow","operation":"Write","host":"*"}]} > and expected version 0 failed due to > org.apache.zookeeper.KeeperException$NoAuthException: > KeeperErrorCode = NoAuth for /kafka-acl/Topic/shri-topic > (kafka.utils.ZkUtils) > > When I look at ZK kafka-acl node, it only permission for first node, I > understand the reason it does other to run ACL, even though they valid > keytab. > > getAcl /kafka-acl > 'world,'anyone > : r > 'sasl,'kafka/server1.xxx....@xxx.com > : cdrwa > > It this bug or am I doing something wrong here. > > Thanks, > Shri > > This e-mail and its contents (to include attachments) are the property of > National Health Systems, Inc., its subsidiaries and affiliates, including > but not limited to Rx.com Community Healthcare Network, Inc. and its > subsidiaries, and may contain confidential and proprietary or privileged > information. If you are not the intended recipient of this e-mail, you are > hereby notified that any unauthorized disclosure, copying, or distribution > of this e-mail or of its attachments, or the taking of any unauthorized > action based on information contained herein is strictly prohibited. > Unauthorized use of information contained herein may subject you to civil > and criminal prosecution and penalties. If you are not the intended > recipient, please immediately notify the sender by telephone at > 800-433-5719 or return e-mail and permanently delete the original e-mail. >
