Looks like you are already using SASL/PLAIN mechanism. Kafka supports SASL authentication framework. KAFKA SASL supports GSSAPI (Kerberos), PLAIN or SCRAM mechanisms. you can enable SSL encryption also
http://kafka.apache.org/documentation.html#security On Thu, Aug 31, 2017 at 7:28 PM, Manoj Murumkar <manoj.murum...@gmail.com> wrote: > Thanks Manikumar. I am testing the setup documented here: > https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/ > (SASL_PLAINTEXT). > > I haven't setup any authentication for the tests. Thinking about it, > authentication is a must have for authorization (so, kafka knows who's > making resource request), right? > > On Wed, Aug 30, 2017 at 11:39 PM, Manikumar <manikumar.re...@gmail.com> > wrote: > > > Hi, > > > > Kafka default authorizer is used with secure authenticated channels > > (SSL,SASL,SCRAM). > > For plain text (non-secure) channels, the principal will be always > > ANONYMOUS. Here you can authorize by ip-address. > > > > It's adviced to run on secure channels. you can try SASL/PLAIN or SCRAM > > mechanisms with/without SSL. > > Pl, check Kafka docs for security considerations. > > > > >> I was testing if a non-admin principal (OS user) can modify > (add/remove) > > ACLs and > > it seems like it's possible. > > How are you trying? Can you give more details about your setup? What > > authentication mechanism, etc.? > > > > > > Thanks, > > > > > > On Thu, Aug 31, 2017 at 2:49 AM, Manoj Murumkar < > manoj.murum...@gmail.com> > > wrote: > > > > > Hi, > > > > > > We are evaluating how to put authorization in place for Kafka (around > > > topics, mostly). Is it a good idea to do this without Kerberos? I was > > > testing if a non-admin principal (OS user) can modify (add/remove) ACLs > > and > > > it seems like it's possible. If this is right behavior, it's insecure > and > > > unusable. What do you guys think? > > > > > > Thanks, > > > > > > Manoj > > > > > >
