Hi I enabled the DEBUG logs on Kafka authorizer, and I see the following logs for the given ACLs. Am I missing something in my config here ? Any help is greatly appreciated. Thanks.
*List of ACL* [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic kafka-testtopic Current ACLs for resource `Topic:kafka-testtopic`: User:* has Allow permission for operations: Read from hosts: bin User:CN=kafka2 has Allow permission for operations: Write from hosts: kafka2.example.com User:CN=kafka2 has Allow permission for operations: Read from hosts: kafka2.example.com [root@kafka1 KAFKA]# *Authorizer LOGS* [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied Operation = Describe from host = 10.10.0.23 on resource = Topic:kafka-testtopic (kafka.authorizer.logger) [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied Operation = Describe from host = 10.10.0.23 on resource = Topic:kafka-testtopic (kafka.authorizer.logger) [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied Operation = Describe from host = 10.10.0.23 on resource = Topic:kafka-testtopic (kafka.authorizer.logger) [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied Operation = Describe from host = 10.10.0.23 on resource = Topic:kafka-testtopic (kafka.authorizer.logger) Thanks. On Sun, May 21, 2017 at 10:52 PM, Raghav <raghavas...@gmail.com> wrote: > I tried all possible ways (including the way you suggested Michael), but I > still get the same error. > > Is there a step by step guide to get ACLs working in Kafka with SSL ? > > Thanks. > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <mrau...@anexia-it.com> > wrote: > >> Hi, >> >> with SSL client authentication the user identifier is the dname of the >> certificate >> >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US” >> >> for example when you want to set an ACL rule (read and write for topic >> TOPICNAME from every host): >> >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181 >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US >> --allow-host "*" --operation Read --operation Write --topic TOPICNAME >> >> >> Am 19.05.17, 20:02 schrieb "Raghav" <raghavas...@gmail.com>: >> >> If it helps, this is how I generated the keystone for my client >> >> $ keytool -alias kafka-dev2 -validity 365 -keystore >> kafka-dev2.keystore.jks >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS: >> kafka-dev2.example.com -storepass 123456 >> >> Anything wrong here ? >> >> On Fri, May 19, 2017 at 10:32 AM, Raghav <raghavas...@gmail.com> >> wrote: >> >> > Hi >> > >> > I have a SSL setup with Kafka Broker, Producer and Consumer, and it >> works >> > fine. I tried to setup ACLs as given on the website. When I start my >> > producer, I am getting this error: >> > >> > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list >> > kafka-dev1.example.com:9093 --topic test --producer.config >> > ./etc/kafka/producer.properties >> > >> > HelloWorld >> > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata with >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION} >> > (org.apache.kafka.clients.NetworkClient) >> > [root@kafka-dev2 KAFKA]# >> > >> > >> > server config has the following entries >> > ------------------------------------ >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer >> > super.users=User:Bob >> > ------------------------------------ >> > >> > When certificate was being generated for Producer (Bob was used in >> the >> > CNAME.) >> > >> > >> > Am I missing something here ? Please help >> > >> > Thanks. >> > >> > Raghav >> > >> >> >> >> -- >> Raghav >> >> >> > > > -- > Raghav > -- Raghav