FWIR: is a plaintext broker supported with SASL Zookeeper frontend..assuming no
here are the reasons:


https://www.tutorialspoint.com/apache_kafka/apache_kafka_cluster_architecture.htm

[https://www.tutorialspoint.com/apache_kafka/images/cluster_architecture.jpg]<https://www.tutorialspoint.com/apache_kafka/apache_kafka_cluster_architecture.htm>

Apache Kafka Cluster Architecture - Tutorials 
Point<https://www.tutorialspoint.com/apache_kafka/apache_kafka_cluster_architecture.htm>
www.tutorialspoint.com
Apache Kafka Cluster Architecture - Learn Apache kafka starting from the 
Introduction, Fundamentals, Cluster Architecture, Workflow, Installation Steps, 
Basic Operations, Simple Producer Example, Consumer Group Example, Integration 
with Storm, Integration with Spark, Real Time Application(Twitter), Tools, 
Applications.


consumers requesting SASL access route to ZK first (to retrieve SCRAM 
Credentials from Zookeeper)

"The default implementation of SASL/SCRAM in Kafka stores SCRAM credentials in 
Zookeeper. This is suitable for production use in installations where Zookeeper 
is secure and on a private network."

Broker successful initialisation or Broker failure notifications are handled by 
Zookeeper:

"As per the notification received by the Zookeeper regarding presence or 
failure of the broker then producer and consumer takes decision and starts 
coordinating their task with some other broker"

the question is :
can ZK server support both SASL and Plaintext?
there is either a SASL/SSL port or a PLAINTEXT port supported for any ZK server
the answer seems to be no


corroborated here:
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/


FWIR: PLAINTEXT should not be configured with SASL/SSL enabled ZK server


does this conform to your findings?

M-

[https://www.confluent.io/wp-content/uploads/2016/09/104_Security_a.png]<https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/>

Apache Kafka Security 101 - 
Confluent<https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/>
www.confluent.io
TLS, Kerberos, SASL, and Authorizer in Apache Kafka 0.9 – Enabling New 
Encryption, Authorization, and Authentication Features Apache Kafka is 
frequently used to store critical data making it one of […]

Martin

__________



________________________________
From: Alexander Maniates <maniat...@gmail.com>
Sent: Monday, April 2, 2018 5:07 PM
To: users@kafka.apache.org
Subject: Possible to enable client SSL when PLAINTEXT brokers exist in the 
cluster?

Is it possible to enable client SSL when PLAINTEXT brokers exist in the
cluster?

Suppose you have 9 brokers in a cluster. 8 are configured with both SSL and
PLAINTEXT endpoints. One broker is configured with only a PLAINTEXT
endpoint, and this broker does NOT OWN any partitions. I supply a list of 3
brokers for the producer config that are all SSL enabled. In this setup,
the producers fail to fetch metadata for a topic, even though the producer
is only connecting to one of the SSL brokers.

Ssl enabled producer client log output:

>
> 2018-04-02 19:03:08.125 DEBUG o.a.kafka.clients.NetworkClient - Initialize
> connection to node -2 for sending metadata request
> 2018-04-02 19:03:08.125 DEBUG o.a.kafka.clients.NetworkClient - Initiating
> connection to node -2 at REDACTED.SSL.BROKER.COM:REDACTED-PORT.
> 2018-04-02 19:03:08.131 DEBUG o.a.kafka.clients.NetworkClient - Completed
> connection to node -2
> 2018-04-02 19:03:08.253 DEBUG o.a.kafka.clients.NetworkClient - Sending
> metadata request {topics=[my-topic]} to node -2
> 2018-04-02 19:03:08.267 WARN  o.a.kafka.clients.NetworkClient - Error
> while fetching metadata with correlation id 0 : {my-topic=UNKNOWN}
> 2018-04-02 19:03:08.267 TRACE o.a.kafka.clients.NetworkClient - Ignoring
> empty metadata response with correlation id 0.


Once I shutdown the plaintext broker, all is fine again.
Brokers are on 0.10.1 and clients are 0.9

Is this intended behavior? Does the entire cluster always have to have SSL
enabled? Why is the metadata request failing if the plaintext broker does
not own any partitions at all, and the client is not connecting to that
broker?


Thanks,
Alex

Reply via email to