Right, I am. Just to be clear, I am using kafka-acl script to define/remove
ACLs as a non-super user and it just works fine. I had expected it to work
only for super users and not for regular users ('nex37045' is a normal
user).
[nex37045@or1010051029033 ~]$ kafka-acls --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=localhost:2181 --list
Current ACLs for resource `Topic:test`:
User:nex37045 has Deny permission for operations: Write from hosts: *
User:skumarmu has Allow permission for operations: Write from hosts: *
[nex37045@or1010051029033 ~]$
[nex37045@or1010051029033 ~]$ kafka-acls --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=localhost:2181 --remove --allow-principal User:skumarmu
--operation Write --topic test
Are you sure you want to remove ACLs:
User:skumarmu has Allow permission for operations: Write from hosts: *
from resource `Topic:test`? (y/n)
y
Current ACLs for resource `Topic:test`:
User:nex37045 has Deny permission for operations: Write from hosts: *
[nex37045@or1010051029033 ~]$ kafka-acls --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=localhost:2181 --list
Current ACLs for resource `Topic:test`:
User:nex37045 has Deny permission for operations: Write from hosts: *
On Thu, Aug 31, 2017 at 7:16 AM, Manikumar <manikumar.re...@gmail.com>
wrote:
> Looks like you are already using SASL/PLAIN mechanism. Kafka supports SASL
> authentication framework.
> KAFKA SASL supports GSSAPI (Kerberos), PLAIN or SCRAM mechanisms. you can
> enable SSL encryption also
>
> http://kafka.apache.org/documentation.html#security
>
>
> On Thu, Aug 31, 2017 at 7:28 PM, Manoj Murumkar <manoj.murum...@gmail.com>
> wrote:
>
> > Thanks Manikumar. I am testing the setup documented here:
> > https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/
> > (SASL_PLAINTEXT).
> >
> > I haven't setup any authentication for the tests. Thinking about it,
> > authentication is a must have for authorization (so, kafka knows who's
> > making resource request), right?
> >
> > On Wed, Aug 30, 2017 at 11:39 PM, Manikumar <manikumar.re...@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > Kafka default authorizer is used with secure authenticated channels
> > > (SSL,SASL,SCRAM).
> > > For plain text (non-secure) channels, the principal will be always
> > > ANONYMOUS. Here you can authorize by ip-address.
> > >
> > > It's adviced to run on secure channels. you can try SASL/PLAIN or SCRAM
> > > mechanisms with/without SSL.
> > > Pl, check Kafka docs for security considerations.
> > >
> > > >> I was testing if a non-admin principal (OS user) can modify
> > (add/remove)
> > > ACLs and
> > > it seems like it's possible.
> > > How are you trying? Can you give more details about your setup? What
> > > authentication mechanism, etc.?
> > >
> > >
> > > Thanks,
> > >
> > >
> > > On Thu, Aug 31, 2017 at 2:49 AM, Manoj Murumkar <
> > manoj.murum...@gmail.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > We are evaluating how to put authorization in place for Kafka (around
> > > > topics, mostly). Is it a good idea to do this without Kerberos? I was
> > > > testing if a non-admin principal (OS user) can modify (add/remove)
> ACLs
> > > and
> > > > it seems like it's possible. If this is right behavior, it's insecure
> > and
> > > > unusable. What do you guys think?
> > > >
> > > > Thanks,
> > > >
> > > > Manoj
> > > >
> > >
> >
>
