Hi Rajini
I tried again with IP addresses this time, and I get the following error
log for the given ACLS. Is there something wrong in the way I am giving
user name ?
*List of ACL*
[root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties
zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2
--allow-host 10.10.0.23 --operation Read --operation Write --topic
kafka-testtopic
Adding ACLs for resource `Topic:kafka-testtopic`:
User:CN=kafka2 has Allow permission for operations: Read from
hosts: 10.10.0.23
User:CN=kafka2 has Allow permission for operations: Write from
hosts: 10.10.0.23
[root@kafka-dev1 KAFKA]#
*Authorizer LOGS*
[2017-05-22 06:45:44,520] DEBUG No acl found for resource
Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger)
[2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied
Operation = Create from host = 10.10.0.23 on resource =
Cluster:kafka-cluster (kafka.authorizer.logger)
On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <rajinisiva...@gmail.com>
wrote:
> Raghav,
>
> I don't believe we do reverse DNS lookup for matching ACL hosts. Have you
> tried defining ACLs with host IP address?
>
> On Mon, May 22, 2017 at 9:19 AM, Raghav <raghavas...@gmail.com> wrote:
>
> > Hi
> >
> > I enabled the DEBUG logs on Kafka authorizer, and I see the following
> logs
> > for the given ACLs. Am I missing something in my config here ? Any help
> is
> > greatly appreciated. Thanks.
> >
> >
> > *List of ACL*
> >
> > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> > Current ACLs for resource `Topic:kafka-testtopic`:
> > User:* has Allow permission for operations: Read from hosts: bin
> > User:CN=kafka2 has Allow permission for operations: Write from
> > hosts: kafka2.example.com
> > User:CN=kafka2 has Allow permission for operations: Read from
> > hosts: kafka2.example.com
> > [root@kafka1 KAFKA]#
> >
> >
> > *Authorizer LOGS*
> >
> > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Describe from host = 10.10.0.23 on resource =
> > Topic:kafka-testtopic (kafka.authorizer.logger)
> >
> >
> > Thanks.
> >
> >
> > On Sun, May 21, 2017 at 10:52 PM, Raghav <raghavas...@gmail.com> wrote:
> >
> > > I tried all possible ways (including the way you suggested Michael),
> but
> > I
> > > still get the same error.
> > >
> > > Is there a step by step guide to get ACLs working in Kafka with SSL ?
> > >
> > > Thanks.
> > >
> > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <
> mrau...@anexia-it.com>
> > > wrote:
> > >
> > >> Hi,
> > >>
> > >> with SSL client authentication the user identifier is the dname of the
> > >> certificate
> > >>
> > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> > >>
> > >> for example when you want to set an ACL rule (read and write for topic
> > >> TOPICNAME from every host):
> > >>
> > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181
> > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> > >> --allow-host "*" --operation Read --operation Write --topic TOPICNAME
> > >>
> > >>
> > >> Am 19.05.17, 20:02 schrieb "Raghav" <raghavas...@gmail.com>:
> > >>
> > >> If it helps, this is how I generated the keystone for my client
> > >>
> > >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> > >> kafka-dev2.keystore.jks
> > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS:
> > >> kafka-dev2.example.com -storepass 123456
> > >>
> > >> Anything wrong here ?
> > >>
> > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <raghavas...@gmail.com>
> > >> wrote:
> > >>
> > >> > Hi
> > >> >
> > >> > I have a SSL setup with Kafka Broker, Producer and Consumer, and
> > it
> > >> works
> > >> > fine. I tried to setup ACLs as given on the website. When I
> start
> > my
> > >> > producer, I am getting this error:
> > >> >
> > >> >
> > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer
> --broker-list
> > >> > kafka-dev1.example.com:9093 --topic test --producer.config
> > >> > ./etc/kafka/producer.properties
> > >> >
> > >> > HelloWorld
> > >> >
> > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata
> with
> > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > >> > (org.apache.kafka.clients.NetworkClient)
> > >> > [root@kafka-dev2 KAFKA]#
> > >> >
> > >> >
> > >> > server config has the following entries
> > >> > ------------------------------------
> > >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > >> > super.users=User:Bob
> > >> > ------------------------------------
> > >> >
> > >> > When certificate was being generated for Producer (Bob was used
> in
> > >> the
> > >> > CNAME.)
> > >> >
> > >> >
> > >> > Am I missing something here ? Please help
> > >> >
> > >> > Thanks.
> > >> >
> > >> > Raghav
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Raghav
> > >>
> > >>
> > >>
> > >
> > >
> > > --
> > > Raghav
> > >
> >
> >
> >
> > --
> > Raghav
> >
>
--
Raghav
