Hi, Kafka default authorizer is used with secure authenticated channels (SSL,SASL,SCRAM). For plain text (non-secure) channels, the principal will be always ANONYMOUS. Here you can authorize by ip-address.
It's adviced to run on secure channels. you can try SASL/PLAIN or SCRAM mechanisms with/without SSL. Pl, check Kafka docs for security considerations. >> I was testing if a non-admin principal (OS user) can modify (add/remove) ACLs and it seems like it's possible. How are you trying? Can you give more details about your setup? What authentication mechanism, etc.? Thanks, On Thu, Aug 31, 2017 at 2:49 AM, Manoj Murumkar <manoj.murum...@gmail.com> wrote: > Hi, > > We are evaluating how to put authorization in place for Kafka (around > topics, mostly). Is it a good idea to do this without Kerberos? I was > testing if a non-admin principal (OS user) can modify (add/remove) ACLs and > it seems like it's possible. If this is right behavior, it's insecure and > unusable. What do you guys think? > > Thanks, > > Manoj >