Rajini
I tried to add permission for Kafka broker to write. Now I get this error.
Am I missing anything else ?
[2017-05-22 11:11:15,065] WARN Error while fetching metadata with
correlation id 1 : {kafka-testtopic=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2017-05-22 11:11:15,167] WARN Error while fetching metadata with
correlation id 2 : {kafka-testtopic=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2017-05-22 11:11:15,271] WARN Error while fetching metadata with
correlation id 3 : {kafka-testtopic=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
On Mon, May 22, 2017 at 8:02 AM, Rajini Sivaram <rajinisiva...@gmail.com>
wrote:
> If you are using auto-create of topics, you also need to grant Create
> access to kaka-cluster.
>
> On Mon, May 22, 2017 at 9:51 AM, Raghav <raghavas...@gmail.com> wrote:
>
> > Hi Rajini
> >
> > I tried again with IP addresses this time, and I get the following error
> > log for the given ACLS. Is there something wrong in the way I am giving
> > user name ?
> >
> > *List of ACL*
> >
> > [root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties
> > zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2
> > --allow-host 10.10.0.23 --operation Read --operation Write --topic
> > kafka-testtopic
> > Adding ACLs for resource `Topic:kafka-testtopic`:
> > User:CN=kafka2 has Allow permission for operations: Read from
> > hosts: 10.10.0.23
> > User:CN=kafka2 has Allow permission for operations: Write from
> > hosts: 10.10.0.23
> > [root@kafka-dev1 KAFKA]#
> >
> > *Authorizer LOGS*
> >
> > [2017-05-22 06:45:44,520] DEBUG No acl found for resource
> > Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger)
> > [2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied
> > Operation = Create from host = 10.10.0.23 on resource =
> > Cluster:kafka-cluster (kafka.authorizer.logger)
> >
> > On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <rajinisiva...@gmail.com
> >
> > wrote:
> >
> > > Raghav,
> > >
> > > I don't believe we do reverse DNS lookup for matching ACL hosts. Have
> you
> > > tried defining ACLs with host IP address?
> > >
> > > On Mon, May 22, 2017 at 9:19 AM, Raghav <raghavas...@gmail.com> wrote:
> > >
> > > > Hi
> > > >
> > > > I enabled the DEBUG logs on Kafka authorizer, and I see the following
> > > logs
> > > > for the given ACLs. Am I missing something in my config here ? Any
> help
> > > is
> > > > greatly appreciated. Thanks.
> > > >
> > > >
> > > > *List of ACL*
> > > >
> > > > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> > > > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> > > > Current ACLs for resource `Topic:kafka-testtopic`:
> > > > User:* has Allow permission for operations: Read from hosts:
> > bin
> > > > User:CN=kafka2 has Allow permission for operations: Write
> from
> > > > hosts: kafka2.example.com
> > > > User:CN=kafka2 has Allow permission for operations: Read from
> > > > hosts: kafka2.example.com
> > > > [root@kafka1 KAFKA]#
> > > >
> > > >
> > > > *Authorizer LOGS*
> > > >
> > > > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> > > > Operation = Describe from host = 10.10.0.23 on resource =
> > > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > >
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > On Sun, May 21, 2017 at 10:52 PM, Raghav <raghavas...@gmail.com>
> > wrote:
> > > >
> > > > > I tried all possible ways (including the way you suggested
> Michael),
> > > but
> > > > I
> > > > > still get the same error.
> > > > >
> > > > > Is there a step by step guide to get ACLs working in Kafka with
> SSL ?
> > > > >
> > > > > Thanks.
> > > > >
> > > > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <
> > > mrau...@anexia-it.com>
> > > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> with SSL client authentication the user identifier is the dname of
> > the
> > > > >> certificate
> > > > >>
> > > > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> > > > >>
> > > > >> for example when you want to set an ACL rule (read and write for
> > topic
> > > > >> TOPICNAME from every host):
> > > > >>
> > > > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:
> > 2181
> > > > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> > > > >> --allow-host "*" --operation Read --operation Write --topic
> > TOPICNAME
> > > > >>
> > > > >>
> > > > >> Am 19.05.17, 20:02 schrieb "Raghav" <raghavas...@gmail.com>:
> > > > >>
> > > > >> If it helps, this is how I generated the keystone for my
> client
> > > > >>
> > > > >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> > > > >> kafka-dev2.keystore.jks
> > > > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext
> > SAN=DNS:
> > > > >> kafka-dev2.example.com -storepass 123456
> > > > >>
> > > > >> Anything wrong here ?
> > > > >>
> > > > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <
> raghavas...@gmail.com
> > >
> > > > >> wrote:
> > > > >>
> > > > >> > Hi
> > > > >> >
> > > > >> > I have a SSL setup with Kafka Broker, Producer and Consumer,
> > and
> > > > it
> > > > >> works
> > > > >> > fine. I tried to setup ACLs as given on the website. When I
> > > start
> > > > my
> > > > >> > producer, I am getting this error:
> > > > >> >
> > > > >> >
> > > > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer
> > > --broker-list
> > > > >> > kafka-dev1.example.com:9093 --topic test --producer.config
> > > > >> > ./etc/kafka/producer.properties
> > > > >> >
> > > > >> > HelloWorld
> > > > >> >
> > > > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata
> > > with
> > > > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > > > >> > (org.apache.kafka.clients.NetworkClient)
> > > > >> > [root@kafka-dev2 KAFKA]#
> > > > >> >
> > > > >> >
> > > > >> > server config has the following entries
> > > > >> > ------------------------------------
> > > > >> > authorizer.class.name=kafka.security.auth.
> SimpleAclAuthorizer
> > > > >> > super.users=User:Bob
> > > > >> > ------------------------------------
> > > > >> >
> > > > >> > When certificate was being generated for Producer (Bob was
> > used
> > > in
> > > > >> the
> > > > >> > CNAME.)
> > > > >> >
> > > > >> >
> > > > >> > Am I missing something here ? Please help
> > > > >> >
> > > > >> > Thanks.
> > > > >> >
> > > > >> > Raghav
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Raghav
> > > > >>
> > > > >>
> > > > >>
> > > > >
> > > > >
> > > > > --
> > > > > Raghav
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Raghav
> > > >
> > >
> >
> >
> >
> > --
> > Raghav
> >
>
--
Raghav
