Rajini

I will try and report to you shortly. Many thanks.

Raghav

On Wed, May 24, 2017 at 7:04 AM, Rajini Sivaram <rajinisiva...@gmail.com>
wrote:

> Raghav/Darshan,
>
> Can you try these steps on a clean installation of Kafka? It works for me,
> so hopefully it will work for you. And then you can adapt to your scenario.
>
> *Create keystores and truststores:*
>
> keytool -genkey -alias kafka -keystore server.keystore.jks -dname
> "CN=KafkaBroker,O=Pivotal,C=UK" -storepass server-keystore-password
> -keypass server-key-password
>
> keytool -exportcert -file server-cert-file -keystore server.keystore.jks
> -alias kafka -storepass server-keystore-password
>
> keytool -importcert -file server-cert-file -keystore server.truststore.jks
> -alias kafka -storepass server-truststore-password -noprompt
>
> keytool -importcert -file server-cert-file -keystore client.truststore.jks
> -alias kafkaclient -storepass client-truststore-password -noprompt
>
>
> keytool -genkey -alias kafkaclient -keystore client.keystore.jks -dname
> "CN=KafkaClient,O=Pivotal,C=UK" -storepass client-keystore-password
> -keypass client-key-password
>
> keytool -exportcert -file client-cert-file -keystore client.keystore.jks
> -alias kafkaclient -storepass client-keystore-password
>
> keytool -importcert -file client-cert-file -keystore server.truststore.jks
> -alias kafkaclient -storepass server-truststore-password -noprompt
>
> *Configure broker: Add these lines at the end of your server.properties*
>
> listeners=SSL://:9093
>
> advertised.listeners=SSL://127.0.0.1:9093
>
> ssl.keystore.location=/tmp/acl/server.keystore.jks
>
> ssl.keystore.password=server-keystore-password
>
> ssl.key.password=server-key-password
>
> ssl.truststore.location=/tmp/acl/server.truststore.jks
>
> ssl.truststore.password=server-truststore-password
>
> security.inter.broker.protocol=SSL
>
> security.protocol=SSL
>
> ssl.client.auth=required
>
> allow.everyone.if.no.acl.found=false
>
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>
> super.users=User:CN=KafkaBroker,O=Pivotal,C=UK
>
> *Configure producer: producer.properties*
>
> security.protocol=SSL
>
> ssl.truststore.location=/tmp/acl/client.truststore.jks
>
> ssl.truststore.password=client-truststore-password
>
> ssl.keystore.location=/tmp/acl/client.keystore.jks
>
> ssl.keystore.password=client-keystore-password
>
> ssl.key.password=client-key-password
>
>
> *Configure consumer: consumer.properties*
>
> security.protocol=SSL
>
> ssl.truststore.location=/tmp/acl/client.truststore.jks
>
> ssl.truststore.password=client-truststore-password
>
> ssl.keystore.location=/tmp/acl/client.keystore.jks
>
> ssl.keystore.password=client-keystore-password
>
> ssl.key.password=client-key-password
>
> group.id=testgroup
>
> *Create topic:*
>
> bin/kafka-topics.sh  --zookeeper localhost --create --topic testtopic
> --replication-factor 1 --partitions 1
>
>
> *Configure ACLs:*
>
> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
> --add --allow-principal "User:CN=KafkaClient,O=Pivotal,C=UK" --producer
> --topic testtopic
>
> bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
> --add --allow-principal "User:CN=KafkaClient,O=Pivotal,C=UK" --consumer
> --topic testtopic --group test group
>
>
> *Run console producer and type in some messages:*
>
> bin/kafka-console-producer.sh  --producer.config
> /tmp/acl/producer.properties --topic testtopic --broker-list
> 127.0.0.1:9093
>
>
> *Run console consumer, you should see messages from above:*
>
> bin/kafka-console-consumer.sh  --consumer.config
> /tmp/acl/consumer.properties --topic testtopic --bootstrap-server
> 127.0.0.1:9093 --from-beginning
>
>
>
> On Tue, May 23, 2017 at 12:57 PM, Raghav <raghavas...@gmail.com> wrote:
>
>> Darshan,
>>
>> I have not yet successfully gotten the ACLs to work in Kafka. I am still
>> looking for help. I will update this email thread if I do find. In case
>> you
>> get it working, please let me know.
>>
>> Thanks.
>>
>> R
>>
>> On Tue, May 23, 2017 at 8:49 AM, Darshan Purandare <
>> purandare.dars...@gmail.com> wrote:
>>
>> > Raghav
>> >
>> > I saw few posts of yours around Kafka ACLs and the problems. I have seen
>> > similar issues where Writer has not been able to write to any topic. I
>> have
>> > seen "leader not available" and sometimes "unknown topic or partition",
>> and
>> > "topic_authorization_failed" error.
>> >
>> > Let me know if you find a valid config that works.
>> >
>> > Thanks.
>> >
>> >
>> >
>> > On Tue, May 23, 2017 at 8:44 AM, Raghav <raghavas...@gmail.com> wrote:
>> >
>> >> Hello Kafka Users
>> >>
>> >> I am a new Kafka user and trying to make Kafka SSL work with
>> Authorization
>> >> and ACLs. I followed posts from Kafka and Confluent docs exactly to the
>> >> point but my producer cannot write to kafka broker. I get
>> >> "LEADER_NOT_FOUND" errors. And even Consumer throws the same errors.
>> >>
>> >> Can someone please share their config which worked with ACLs.
>> >>
>> >> Here is my config. Please help.
>> >>
>> >> server.properties config
>> >> ------------------------------------------------------------
>> >> ------------------------------------------------
>> >> broker.id=0
>> >> auto.create.topics.enable=true
>> >> delete.topic.enable=true
>> >>
>> >> listeners=PLAINTEXT://kafka1.example.com:9092
>> >> <http://kafka-dev1.example.com:9092/>,SSL://kafka1.example.com:9093
>> >> <http://kafka-dev1.example.com:9093/>
>> >> host.name=kafka1.example.com <http://kafka-dev1.example.com/>
>> >>
>> >>
>> >>
>> >> ssl.keystore.location=/var/private/kafka1.keystore.jks
>> >> ssl.keystore.password=12345678
>> >> ssl.key.password=12345678
>> >>
>> >> ssl.truststore.location=/var/private/kafka1.truststore.jks
>> >> ssl.truststore.password=12345678
>> >>
>> >> ssl.client.auth=required
>> >> ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
>> >> ssl.keystore.type=JKS
>> >> ssl.truststore.type=JKS
>> >>
>> >> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>> >> ------------------------------------------------------------
>> >> ------------------------------------------------
>> >>
>> >>
>> >>
>> >> Here is producer Config(producer.properties)
>> >> ------------------------------------------------------------
>> >> ------------------------------------------------
>> >> security.protocol=SSL
>> >> ssl.truststore.location=/var/private/kafka2.truststore.jks
>> >> ssl.truststore.password=12345678
>> >>
>> >> ssl.keystore.location=/var/private/kafka2.keystore.jks
>> >> ssl.keystore.password=12345678
>> >> ssl.key.password=12345678
>> >>
>> >> ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
>> >> ssl.truststore.type=JKS
>> >> ssl.keystore.type=JKS
>> >>
>> >> ------------------------------------------------------------
>> >> ------------------------------------------------
>> >>
>> >>
>> >> Raqhav
>> >>
>> >
>> >
>>
>>
>> --
>> Raghav
>>
>
>


-- 
Raghav

Reply via email to