Thanks Manikumar. I am testing the setup documented here: https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/ (SASL_PLAINTEXT).
I haven't setup any authentication for the tests. Thinking about it, authentication is a must have for authorization (so, kafka knows who's making resource request), right? On Wed, Aug 30, 2017 at 11:39 PM, Manikumar <manikumar.re...@gmail.com> wrote: > Hi, > > Kafka default authorizer is used with secure authenticated channels > (SSL,SASL,SCRAM). > For plain text (non-secure) channels, the principal will be always > ANONYMOUS. Here you can authorize by ip-address. > > It's adviced to run on secure channels. you can try SASL/PLAIN or SCRAM > mechanisms with/without SSL. > Pl, check Kafka docs for security considerations. > > >> I was testing if a non-admin principal (OS user) can modify (add/remove) > ACLs and > it seems like it's possible. > How are you trying? Can you give more details about your setup? What > authentication mechanism, etc.? > > > Thanks, > > > On Thu, Aug 31, 2017 at 2:49 AM, Manoj Murumkar <manoj.murum...@gmail.com> > wrote: > > > Hi, > > > > We are evaluating how to put authorization in place for Kafka (around > > topics, mostly). Is it a good idea to do this without Kerberos? I was > > testing if a non-admin principal (OS user) can modify (add/remove) ACLs > and > > it seems like it's possible. If this is right behavior, it's insecure and > > unusable. What do you guys think? > > > > Thanks, > > > > Manoj > > >