Le mardi 26 septembre 2017 à 16:30 +0200, Bastien Durel a écrit : > Hello, > > I want to allow any user to consume messages from any host, but > restrict publishing from only one host (and one user), so I think I > need ACLs > > I use the default authorizer : > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer > > I added the following ACLs to allow anyone to read from anywhere : > bin/kafka-acls.sh --authorizer-properties > zookeeper.connect=localhost:2181 --add --consumer --topic test -- > allow-principal 'User:*' --group '*' > > And I've verified I can consume messages from any host (using a small > python client) > > I then added ACL to permit alice to publish from 127.0.0.1 : > User:alice has Allow permission for operations: All from hosts: > 127.0.0.1 > > And messages posted from localhost (with another python script) flows > to any consumer > > But if I add a remote machine ACL : > bin/kafka-acls.sh --authorizer-properties > zookeeper.connect=localhost:2181 --add --topic test --allow-principal > User:alice --allow-host 10.42.42.3 > Adding ACLs for resource `Topic:test`: > User:alice has Allow permission for operations: All from > hosts: 10.42.42.3 > > Current ACLs for resource `Topic:test`: > User:* has Allow permission for operations: Describe from > hosts: * > User:* has Allow permission for operations: Read from hosts: * > User:alice has Allow permission for operations: All from hosts: > 10.42.42.3 > User:alice has Allow permission for operations: All from hosts: > 127.0.0.1 > > All looks correct but messages sent from this host doesn't flow to > consumer(s). > I can see them leave on the wire, but I get an response wireshark > doesn't know how to decode, but consumers doesn't get anything. > > Removing the 127.0.0.1 ACL leads to the same result (messages sent to > (local) wire but not delivered to consumers), but adding it back > leads > to the intended behaviour (messages delivered) > > I tried with IP, FQDN, hostname ; I cannot get my messages from > 10.42.42.3 to get delivered > Except if I add an ACL with --allow-host \* ; in this case messages > from 10.42.42.3 gets delivered. > > I use kafka 0.10.2.0 > > Do you have any clue ? How to debug this issue ? > > Thanks, > There is a router that masquerades my IP, that was the problem ... sorry for the noise
Regards, -- Bastien Durel DATA Intégration des données de l'entreprise, Systèmes d'information décisionnels. bastien.du...@data.fr tel : +33 (0) 1 57 19 59 28 fax : +33 (0) 1 57 19 59 73 12 avenue Raspail, 94250 GENTILLY France www.data.fr
