Hi

I enabled the DEBUG logs on Kafka authorizer, and I see the following logs
for the given ACLs. Am I missing something in my config here ? Any help is
greatly appreciated. Thanks.


*List of ACL*

[root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
Current ACLs for resource `Topic:kafka-testtopic`:
        User:* has Allow permission for operations: Read from hosts: bin
        User:CN=kafka2 has Allow permission for operations: Write from
hosts: kafka2.example.com
        User:CN=kafka2 has Allow permission for operations: Read from
hosts: kafka2.example.com
[root@kafka1 KAFKA]#


*Authorizer LOGS*

[2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)


Thanks.


On Sun, May 21, 2017 at 10:52 PM, Raghav <raghavas...@gmail.com> wrote:

> I tried all possible ways (including the way you suggested Michael), but I
> still get the same error.
>
> Is there a step by step guide to get ACLs working in Kafka with SSL ?
>
> Thanks.
>
> On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <mrau...@anexia-it.com>
> wrote:
>
>> Hi,
>>
>> with SSL client authentication the user identifier is the dname of the
>> certificate
>>
>> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
>>
>> for example when you want to set an ACL rule (read and write for topic
>> TOPICNAME from every host):
>>
>> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
>> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
>> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
>>
>>
>> Am 19.05.17, 20:02 schrieb "Raghav" <raghavas...@gmail.com>:
>>
>>     If it helps, this is how I generated the keystone for my client
>>
>>     $ keytool -alias kafka-dev2 -validity 365 -keystore
>> kafka-dev2.keystore.jks
>>     -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
>>     kafka-dev2.example.com -storepass 123456
>>
>>     Anything wrong here ?
>>
>>     On Fri, May 19, 2017 at 10:32 AM, Raghav <raghavas...@gmail.com>
>> wrote:
>>
>>     > Hi
>>     >
>>     > I have a SSL setup with Kafka Broker, Producer and Consumer, and it
>> works
>>     > fine. I tried to setup ACLs as given on the website. When I start my
>>     > producer, I am getting this error:
>>     >
>>     >
>>     > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
>>     > kafka-dev1.example.com:9093 --topic test --producer.config
>>     > ./etc/kafka/producer.properties
>>     >
>>     > HelloWorld
>>     >
>>     > [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
>>     > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
>>     > (org.apache.kafka.clients.NetworkClient)
>>     > [root@kafka-dev2 KAFKA]#
>>     >
>>     >
>>     > server config has the following entries
>>     > ------------------------------------
>>     > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>>     > super.users=User:Bob
>>     > ------------------------------------
>>     >
>>     > When certificate was being generated for Producer (Bob was used in
>> the
>>     > CNAME.)
>>     >
>>     >
>>     > Am I missing something here ? Please help
>>     >
>>     > Thanks.
>>     >
>>     > Raghav
>>     >
>>
>>
>>
>>     --
>>     Raghav
>>
>>
>>
>
>
> --
> Raghav
>



-- 
Raghav

Reply via email to