Hello, I want to allow any user to consume messages from any host, but restrict publishing from only one host (and one user), so I think I need ACLs
I use the default authorizer : authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer I added the following ACLs to allow anyone to read from anywhere : bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --consumer --topic test --allow-principal 'User:*' --group '*' And I've verified I can consume messages from any host (using a small python client) I then added ACL to permit alice to publish from 127.0.0.1 : User:alice has Allow permission for operations: All from hosts: 127.0.0.1 And messages posted from localhost (with another python script) flows to any consumer But if I add a remote machine ACL : bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --topic test --allow-principal User:alice --allow-host 10.42.42.3 Adding ACLs for resource `Topic:test`: User:alice has Allow permission for operations: All from hosts: 10.42.42.3 Current ACLs for resource `Topic:test`: User:* has Allow permission for operations: Describe from hosts: * User:* has Allow permission for operations: Read from hosts: * User:alice has Allow permission for operations: All from hosts: 10.42.42.3 User:alice has Allow permission for operations: All from hosts: 127.0.0.1 All looks correct but messages sent from this host doesn't flow to consumer(s). I can see them leave on the wire, but I get an response wireshark doesn't know how to decode, but consumers doesn't get anything. Removing the 127.0.0.1 ACL leads to the same result (messages sent to (local) wire but not delivered to consumers), but adding it back leads to the intended behaviour (messages delivered) I tried with IP, FQDN, hostname ; I cannot get my messages from 10.42.42.3 to get delivered Except if I add an ACL with --allow-host \* ; in this case messages from 10.42.42.3 gets delivered. I use kafka 0.10.2.0 Do you have any clue ? How to debug this issue ? Thanks, -- Bastien Durel DATA Intégration des données de l'entreprise, Systèmes d'information décisionnels. bastien.du...@data.fr tel : +33 (0) 1 57 19 59 28 fax : +33 (0) 1 57 19 59 73 12 avenue Raspail, 94250 GENTILLY France www.data.fr
from kafka import KafkaConsumer consumer = KafkaConsumer('test', bootstrap_servers='192.168.100.168:9092', security_protocol="SASL_PLAINTEXT", sasl_mechanism="PLAIN", sasl_plain_username="alice", sasl_plain_password="alice-secret") for msg in consumer: print (msg)
from kafka import KafkaProducer import socket #producer = KafkaProducer(bootstrap_servers='192.168.100.168:9092') producer = KafkaProducer(bootstrap_servers='192.168.100.168:9092', security_protocol="SASL_PLAINTEXT", sasl_mechanism="PLAIN", sasl_plain_username="alice", sasl_plain_password="alice-secret") for _ in range(10): producer.send('test', b'some_message_bytes: ' + (str(_) + ' on ' + socket.gethostname()).encode('UTF-8'))
kafka.pcap
Description: application/vnd.tcpdump.pcap