Hi Rajini I tried again with IP addresses this time, and I get the following error log for the given ACLS. Is there something wrong in the way I am giving user name ?
*List of ACL* [root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2 --allow-host 10.10.0.23 --operation Read --operation Write --topic kafka-testtopic Adding ACLs for resource `Topic:kafka-testtopic`: User:CN=kafka2 has Allow permission for operations: Read from hosts: 10.10.0.23 User:CN=kafka2 has Allow permission for operations: Write from hosts: 10.10.0.23 [root@kafka-dev1 KAFKA]# *Authorizer LOGS* [2017-05-22 06:45:44,520] DEBUG No acl found for resource Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger) [2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied Operation = Create from host = 10.10.0.23 on resource = Cluster:kafka-cluster (kafka.authorizer.logger) On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Raghav, > > I don't believe we do reverse DNS lookup for matching ACL hosts. Have you > tried defining ACLs with host IP address? > > On Mon, May 22, 2017 at 9:19 AM, Raghav <raghavas...@gmail.com> wrote: > > > Hi > > > > I enabled the DEBUG logs on Kafka authorizer, and I see the following > logs > > for the given ACLs. Am I missing something in my config here ? Any help > is > > greatly appreciated. Thanks. > > > > > > *List of ACL* > > > > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties > > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic > > Current ACLs for resource `Topic:kafka-testtopic`: > > User:* has Allow permission for operations: Read from hosts: bin > > User:CN=kafka2 has Allow permission for operations: Write from > > hosts: kafka2.example.com > > User:CN=kafka2 has Allow permission for operations: Read from > > hosts: kafka2.example.com > > [root@kafka1 KAFKA]# > > > > > > *Authorizer LOGS* > > > > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied > > Operation = Describe from host = 10.10.0.23 on resource = > > Topic:kafka-testtopic (kafka.authorizer.logger) > > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied > > Operation = Describe from host = 10.10.0.23 on resource = > > Topic:kafka-testtopic (kafka.authorizer.logger) > > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied > > Operation = Describe from host = 10.10.0.23 on resource = > > Topic:kafka-testtopic (kafka.authorizer.logger) > > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied > > Operation = Describe from host = 10.10.0.23 on resource = > > Topic:kafka-testtopic (kafka.authorizer.logger) > > > > > > Thanks. > > > > > > On Sun, May 21, 2017 at 10:52 PM, Raghav <raghavas...@gmail.com> wrote: > > > > > I tried all possible ways (including the way you suggested Michael), > but > > I > > > still get the same error. > > > > > > Is there a step by step guide to get ACLs working in Kafka with SSL ? > > > > > > Thanks. > > > > > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter < > mrau...@anexia-it.com> > > > wrote: > > > > > >> Hi, > > >> > > >> with SSL client authentication the user identifier is the dname of the > > >> certificate > > >> > > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US” > > >> > > >> for example when you want to set an ACL rule (read and write for topic > > >> TOPICNAME from every host): > > >> > > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:2181 > > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US > > >> --allow-host "*" --operation Read --operation Write --topic TOPICNAME > > >> > > >> > > >> Am 19.05.17, 20:02 schrieb "Raghav" <raghavas...@gmail.com>: > > >> > > >> If it helps, this is how I generated the keystone for my client > > >> > > >> $ keytool -alias kafka-dev2 -validity 365 -keystore > > >> kafka-dev2.keystore.jks > > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext SAN=DNS: > > >> kafka-dev2.example.com -storepass 123456 > > >> > > >> Anything wrong here ? > > >> > > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <raghavas...@gmail.com> > > >> wrote: > > >> > > >> > Hi > > >> > > > >> > I have a SSL setup with Kafka Broker, Producer and Consumer, and > > it > > >> works > > >> > fine. I tried to setup ACLs as given on the website. When I > start > > my > > >> > producer, I am getting this error: > > >> > > > >> > > > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer > --broker-list > > >> > kafka-dev1.example.com:9093 --topic test --producer.config > > >> > ./etc/kafka/producer.properties > > >> > > > >> > HelloWorld > > >> > > > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata > with > > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION} > > >> > (org.apache.kafka.clients.NetworkClient) > > >> > [root@kafka-dev2 KAFKA]# > > >> > > > >> > > > >> > server config has the following entries > > >> > ------------------------------------ > > >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > > >> > super.users=User:Bob > > >> > ------------------------------------ > > >> > > > >> > When certificate was being generated for Producer (Bob was used > in > > >> the > > >> > CNAME.) > > >> > > > >> > > > >> > Am I missing something here ? Please help > > >> > > > >> > Thanks. > > >> > > > >> > Raghav > > >> > > > >> > > >> > > >> > > >> -- > > >> Raghav > > >> > > >> > > >> > > > > > > > > > -- > > > Raghav > > > > > > > > > > > -- > > Raghav > > > -- Raghav