Thanks Manikumar. I am testing the setup documented here:
https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/
(SASL_PLAINTEXT).

I haven't setup any authentication for the tests. Thinking about it,
authentication is a must have for authorization (so, kafka knows who's
making resource request), right?

On Wed, Aug 30, 2017 at 11:39 PM, Manikumar <manikumar.re...@gmail.com>
wrote:

> Hi,
>
> Kafka default authorizer is used with secure authenticated channels
> (SSL,SASL,SCRAM).
> For plain text (non-secure) channels, the principal will be always
> ANONYMOUS. Here you can authorize by ip-address.
>
> It's adviced to run on secure channels. you can try SASL/PLAIN or SCRAM
> mechanisms with/without SSL.
> Pl, check Kafka docs for security considerations.
>
> >> I was testing if a non-admin principal (OS user) can modify (add/remove)
> ACLs and
> it seems like it's possible.
> How are you trying? Can you give more details about your setup? What
> authentication mechanism, etc.?
>
>
> Thanks,
>
>
> On Thu, Aug 31, 2017 at 2:49 AM, Manoj Murumkar <manoj.murum...@gmail.com>
> wrote:
>
> > Hi,
> >
> > We are evaluating how to put authorization in place for Kafka (around
> > topics, mostly). Is it a good idea to do this without Kerberos? I was
> > testing if a non-admin principal (OS user) can modify (add/remove) ACLs
> and
> > it seems like it's possible. If this is right behavior, it's insecure and
> > unusable. What do you guys think?
> >
> > Thanks,
> >
> > Manoj
> >
>

Reply via email to