FWIR: is a plaintext broker supported with SASL Zookeeper frontend..assuming no here are the reasons:
https://www.tutorialspoint.com/apache_kafka/apache_kafka_cluster_architecture.htm [https://www.tutorialspoint.com/apache_kafka/images/cluster_architecture.jpg]<https://www.tutorialspoint.com/apache_kafka/apache_kafka_cluster_architecture.htm> Apache Kafka Cluster Architecture - Tutorials Point<https://www.tutorialspoint.com/apache_kafka/apache_kafka_cluster_architecture.htm> www.tutorialspoint.com Apache Kafka Cluster Architecture - Learn Apache kafka starting from the Introduction, Fundamentals, Cluster Architecture, Workflow, Installation Steps, Basic Operations, Simple Producer Example, Consumer Group Example, Integration with Storm, Integration with Spark, Real Time Application(Twitter), Tools, Applications. consumers requesting SASL access route to ZK first (to retrieve SCRAM Credentials from Zookeeper) "The default implementation of SASL/SCRAM in Kafka stores SCRAM credentials in Zookeeper. This is suitable for production use in installations where Zookeeper is secure and on a private network." Broker successful initialisation or Broker failure notifications are handled by Zookeeper: "As per the notification received by the Zookeeper regarding presence or failure of the broker then producer and consumer takes decision and starts coordinating their task with some other broker" the question is : can ZK server support both SASL and Plaintext? there is either a SASL/SSL port or a PLAINTEXT port supported for any ZK server the answer seems to be no corroborated here: https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/ FWIR: PLAINTEXT should not be configured with SASL/SSL enabled ZK server does this conform to your findings? M- [https://www.confluent.io/wp-content/uploads/2016/09/104_Security_a.png]<https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/> Apache Kafka Security 101 - Confluent<https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/> www.confluent.io TLS, Kerberos, SASL, and Authorizer in Apache Kafka 0.9 – Enabling New Encryption, Authorization, and Authentication Features Apache Kafka is frequently used to store critical data making it one of […] Martin __________ ________________________________ From: Alexander Maniates <maniat...@gmail.com> Sent: Monday, April 2, 2018 5:07 PM To: users@kafka.apache.org Subject: Possible to enable client SSL when PLAINTEXT brokers exist in the cluster? Is it possible to enable client SSL when PLAINTEXT brokers exist in the cluster? Suppose you have 9 brokers in a cluster. 8 are configured with both SSL and PLAINTEXT endpoints. One broker is configured with only a PLAINTEXT endpoint, and this broker does NOT OWN any partitions. I supply a list of 3 brokers for the producer config that are all SSL enabled. In this setup, the producers fail to fetch metadata for a topic, even though the producer is only connecting to one of the SSL brokers. Ssl enabled producer client log output: > > 2018-04-02 19:03:08.125 DEBUG o.a.kafka.clients.NetworkClient - Initialize > connection to node -2 for sending metadata request > 2018-04-02 19:03:08.125 DEBUG o.a.kafka.clients.NetworkClient - Initiating > connection to node -2 at REDACTED.SSL.BROKER.COM:REDACTED-PORT. > 2018-04-02 19:03:08.131 DEBUG o.a.kafka.clients.NetworkClient - Completed > connection to node -2 > 2018-04-02 19:03:08.253 DEBUG o.a.kafka.clients.NetworkClient - Sending > metadata request {topics=[my-topic]} to node -2 > 2018-04-02 19:03:08.267 WARN o.a.kafka.clients.NetworkClient - Error > while fetching metadata with correlation id 0 : {my-topic=UNKNOWN} > 2018-04-02 19:03:08.267 TRACE o.a.kafka.clients.NetworkClient - Ignoring > empty metadata response with correlation id 0. Once I shutdown the plaintext broker, all is fine again. Brokers are on 0.10.1 and clients are 0.9 Is this intended behavior? Does the entire cluster always have to have SSL enabled? Why is the metadata request failing if the plaintext broker does not own any partitions at all, and the client is not connecting to that broker? Thanks, Alex