ACL for hosts

Bastien Durel Tue, 26 Sep 2017 07:31:20 -0700

Hello,

I want to allow any user to consume messages from any host, but
restrict publishing from only one host (and one user), so I think I
need ACLs


I use the default authorizer : 
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

I added the following ACLs to allow anyone to read from anywhere :
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 
--add --consumer --topic test --allow-principal 'User:*' --group '*'

And I've verified I can consume messages from any host (using a small
python client)

I then added ACL to permit alice to publish from 127.0.0.1 :
User:alice has Allow permission for operations: All from hosts: 127.0.0.1

And messages posted from localhost (with another python script) flows
to any consumer

But if I add a remote machine ACL :
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 
--add --topic test --allow-principal User:alice --allow-host 10.42.42.3
Adding ACLs for resource `Topic:test`: 
        User:alice has Allow permission for operations: All from hosts: 
10.42.42.3 

Current ACLs for resource `Topic:test`: 
        User:* has Allow permission for operations: Describe from hosts: *
        User:* has Allow permission for operations: Read from hosts: *
        User:alice has Allow permission for operations: All from hosts: 
10.42.42.3
        User:alice has Allow permission for operations: All from hosts: 
127.0.0.1 

All looks correct but messages sent from this host doesn't flow to
consumer(s).
I can see them leave on the wire, but I get an response wireshark
doesn't know how to decode, but consumers doesn't get anything.

Removing the 127.0.0.1 ACL leads to the same result (messages sent to
(local) wire but not delivered to consumers), but adding it back leads
to the intended behaviour (messages delivered)

I tried with IP, FQDN, hostname ; I cannot get my messages from
10.42.42.3 to get delivered
Except if I add an ACL with --allow-host \* ; in this case messages
from 10.42.42.3 gets delivered.

I use kafka 0.10.2.0

Do you have any clue ? How to debug this issue ?

Thanks,

-- 
Bastien Durel
DATA
Intégration des données de l'entreprise,
Systèmes d'information décisionnels.

bastien.du...@data.fr
tel : +33 (0) 1 57 19 59 28
fax : +33 (0) 1 57 19 59 73
12 avenue Raspail, 94250 GENTILLY France
www.data.fr

from kafka import KafkaConsumer
consumer = KafkaConsumer('test', bootstrap_servers='192.168.100.168:9092',
                         security_protocol="SASL_PLAINTEXT",
                         sasl_mechanism="PLAIN",
                         sasl_plain_username="alice",
                         sasl_plain_password="alice-secret")
for msg in consumer:
    print (msg)

from kafka import KafkaProducer
import socket
#producer = KafkaProducer(bootstrap_servers='192.168.100.168:9092')
producer = KafkaProducer(bootstrap_servers='192.168.100.168:9092',
                         security_protocol="SASL_PLAINTEXT",
                         sasl_mechanism="PLAIN",
                         sasl_plain_username="alice",
                         sasl_plain_password="alice-secret")
for _ in range(10):
    producer.send('test', b'some_message_bytes: ' +
                  (str(_) + ' on ' + socket.gethostname()).encode('UTF-8'))

kafka.pcap
Description: application/vnd.tcpdump.pcap

ACL for hosts

Reply via email to