Hi
I enabled the DEBUG logs on Kafka authorizer, and I see the following logs
for the given ACLs. Am I missing something in my config here ? Any help is
greatly appreciated. Thanks.
*List of ACL*
[root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
Current ACLs for resource `Topic:kafka-testtopic`:
User:* has Allow permission for operations: Read from hosts: bin
User:CN=kafka2 has Allow permission for operations: Write from
hosts: kafka2.example.com
User:CN=kafka2 has Allow permission for operations: Read from
hosts: kafka2.example.com
[root@kafka1 KAFKA]#
*Authorizer LOGS*
[2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
[2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Describe from host = 10.10.0.23 on resource =
Topic:kafka-testtopic (kafka.authorizer.logger)
Thanks.
On Sun, May 21, 2017 at 10:52 PM, Raghav <[email protected]> wrote:
> I tried all possible ways (including the way you suggested Michael), but I
> still get the same error.
>
> Is there a step by step guide to get ACLs working in Kafka with SSL ?
>
> Thanks.
>
> On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <[email protected]>
> wrote:
>
>> Hi,
>>
>> with SSL client authentication the user identifier is the dname of the
>> certificate
>>
>> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
>>
>> for example when you want to set an ACL rule (read and write for topic
>> TOPICNAME from every host):
>>
>> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
>> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
>> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
>>
>>
>> Am 19.05.17, 20:02 schrieb "Raghav" <[email protected]>:
>>
>> If it helps, this is how I generated the keystone for my client
>>
>> $ keytool -alias kafka-dev2 -validity 365 -keystore
>> kafka-dev2.keystore.jks
>> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
>> kafka-dev2.example.com -storepass 123456
>>
>> Anything wrong here ?
>>
>> On Fri, May 19, 2017 at 10:32 AM, Raghav <[email protected]>
>> wrote:
>>
>> > Hi
>> >
>> > I have a SSL setup with Kafka Broker, Producer and Consumer, and it
>> works
>> > fine. I tried to setup ACLs as given on the website. When I start my
>> > producer, I am getting this error:
>> >
>> >
>> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
>> > kafka-dev1.example.com:9093 --topic test --producer.config
>> > ./etc/kafka/producer.properties
>> >
>> > HelloWorld
>> >
>> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
>> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
>> > (org.apache.kafka.clients.NetworkClient)
>> > [root@kafka-dev2 KAFKA]#
>> >
>> >
>> > server config has the following entries
>> > ------------------------------------
>> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>> > super.users=User:Bob
>> > ------------------------------------
>> >
>> > When certificate was being generated for Producer (Bob was used in
>> the
>> > CNAME.)
>> >
>> >
>> > Am I missing something here ? Please help
>> >
>> > Thanks.
>> >
>> > Raghav
>> >
>>
>>
>>
>> --
>> Raghav
>>
>>
>>
>
>
> --
> Raghav
>
--
Raghav
