Hi,

Kafka default authorizer is used with secure authenticated channels
(SSL,SASL,SCRAM).
For plain text (non-secure) channels, the principal will be always
ANONYMOUS. Here you can authorize by ip-address.

It's adviced to run on secure channels. you can try SASL/PLAIN or SCRAM
mechanisms with/without SSL.
Pl, check Kafka docs for security considerations.

>> I was testing if a non-admin principal (OS user) can modify (add/remove)
ACLs and
it seems like it's possible.
How are you trying? Can you give more details about your setup? What
authentication mechanism, etc.?


Thanks,


On Thu, Aug 31, 2017 at 2:49 AM, Manoj Murumkar <manoj.murum...@gmail.com>
wrote:

> Hi,
>
> We are evaluating how to put authorization in place for Kafka (around
> topics, mostly). Is it a good idea to do this without Kerberos? I was
> testing if a non-admin principal (OS user) can modify (add/remove) ACLs and
> it seems like it's possible. If this is right behavior, it's insecure and
> unusable. What do you guys think?
>
> Thanks,
>
> Manoj
>

Reply via email to