Raghav,
I don't believe we do reverse DNS lookup for matching ACL hosts. Have you
tried defining ACLs with host IP address?
On Mon, May 22, 2017 at 9:19 AM, Raghav <raghavas...@gmail.com> wrote:
> Hi
>
> I enabled the DEBUG logs on Kafka authorizer, and I see the following logs
> for the given ACLs. Am I missing something in my config here ? Any help is
> greatly appreciated. Thanks.
>
>
> *List of ACL*
>
> [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> Current ACLs for resource `Topic:kafka-testtopic`:
> User:* has Allow permission for operations: Read from hosts: bin
> User:CN=kafka2 has Allow permission for operations: Write from
> hosts: kafka2.example.com
> User:CN=kafka2 has Allow permission for operations: Read from
> hosts: kafka2.example.com
> [root@kafka1 KAFKA]#
>
>
> *Authorizer LOGS*
>
> [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
> [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
> [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
> [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Describe from host = 10.10.0.23 on resource =
> Topic:kafka-testtopic (kafka.authorizer.logger)
>
>
> Thanks.
>
>
> On Sun, May 21, 2017 at 10:52 PM, Raghav <raghavas...@gmail.com> wrote:
>
> > I tried all possible ways (including the way you suggested Michael), but
> I
> > still get the same error.
> >
> > Is there a step by step guide to get ACLs working in Kafka with SSL ?
> >
> > Thanks.
> >
> > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <mrau...@anexia-it.com>
> > wrote:
> >
> >> Hi,
> >>
> >> with SSL client authentication the user identifier is the dname of the
> >> certificate
> >>
> >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> >>
> >> for example when you want to set an ACL rule (read and write for topic
> >> TOPICNAME from every host):
> >>
> >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
> >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> >> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
> >>
> >>
> >> Am 19.05.17, 20:02 schrieb "Raghav" <raghavas...@gmail.com>:
> >>
> >> If it helps, this is how I generated the keystone for my client
> >>
> >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> >> kafka-dev2.keystore.jks
> >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
> >> kafka-dev2.example.com -storepass 123456
> >>
> >> Anything wrong here ?
> >>
> >> On Fri, May 19, 2017 at 10:32 AM, Raghav <raghavas...@gmail.com>
> >> wrote:
> >>
> >> > Hi
> >> >
> >> > I have a SSL setup with Kafka Broker, Producer and Consumer, and
> it
> >> works
> >> > fine. I tried to setup ACLs as given on the website. When I start
> my
> >> > producer, I am getting this error:
> >> >
> >> >
> >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer --broker-list
> >> > kafka-dev1.example.com:9093 --topic test --producer.config
> >> > ./etc/kafka/producer.properties
> >> >
> >> > HelloWorld
> >> >
> >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata with
> >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> >> > (org.apache.kafka.clients.NetworkClient)
> >> > [root@kafka-dev2 KAFKA]#
> >> >
> >> >
> >> > server config has the following entries
> >> > ------------------------------------
> >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> >> > super.users=User:Bob
> >> > ------------------------------------
> >> >
> >> > When certificate was being generated for Producer (Bob was used in
> >> the
> >> > CNAME.)
> >> >
> >> >
> >> > Am I missing something here ? Please help
> >> >
> >> > Thanks.
> >> >
> >> > Raghav
> >> >
> >>
> >>
> >>
> >> --
> >> Raghav
> >>
> >>
> >>
> >
> >
> > --
> > Raghav
> >
>
>
>
> --
> Raghav
>
