tracert MessageBrokerIP

do you see ZK server in the trace?
if yes then you are running kafka-cluster

(ZK does not support mixed mode but there is a backdoor zookeeper.properties 
config attribute that allows plaintext clients to bypass sasl auth)

?

Martin
______________________________________________



________________________________
From: Darshan <purandare.dars...@gmail.com>
Sent: Tuesday, April 3, 2018 5:45 PM
To: rajinisiva...@gmail.com
Cc: users@kafka.apache.org
Subject: Re: advertised.listeners

Hi Rajini

The above configuration that you mentioned a while back helped me sort the
issue of listeners and I was also able to run Kafka 0.10.2.1 with SSL and
ACLs as well from one of your other posts.

I wanted to ask you if it is possible to run Kafka in a mixed security
mode? i.e. external producers who are on 172.x.x.x interface can use the
SSL to send/receive data from/to our Kafka brokers, but our internal
consumer can read/write on PLAINTEXT channel to Kafka.

Here is my server.properties, but my internal producer which does not have
any keystore and truststore is getting the following error:
*[2018-04-03 21:21:04,378] WARN Error while fetching metadata with
correlation id 1 : {Topic4006=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)*


*server.properties for our Kafka-1,2,3. They are identical except broker.id
<http://broker.id> and super.users properties.*
broker.id&nbsp;-&nbspThis website is for sale!&nbsp;-&nbspbroker Resources and 
Information.<http://broker.id/>
broker.id
This website is for sale! broker.id is your first and best source for all of 
the information you’re looking for. From general topics to more of what you 
would expect to find here, broker.id has it all. We hope you find what you are 
searching for!




# ID and basic topic creation
broker.id=1
auto.create.topics.enable=true
delete.topic.enable=true

# LISTERN Settings
listeners=INTERNAL://1.1.1.165:9092,EXTERNAL://172.21.190.176:9093
advertised.listeners=INTERNAL://1.1.1.165:9092,EXTERNAL://
172.21.190.176:9093
listener.security.protocol.map=INTERNAL:PLAINTEXT,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
host.name=172.21.190.176

# Security Settings
ssl.keystore.location=keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=truststore.jks
ssl.truststore.password=password
ssl.keystore.type=JKS
ssl.truststore.type=JKS
security.protocol=SSL
ssl.client.auth=required
allow.everyone.if.no.acl.found=false
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:CN=Kafka1

Can you please point out if anything needs to be modified ?

Many thanks.

--Darshan

On Wed, May 31, 2017 at 11:31 AM, Rajini Sivaram <rajinisiva...@gmail.com>
wrote:

> If you want to use different interfaces with the same security protocol,
> you can specify listener names. You can then also configure different
> security properties for internal/external if you need.
>
> listeners=INTERNAL://1.x.x.x:9092,EXTERNAL://172.x.x.x:9093
>
> advertised.listeners=INTERNAL://1.x.x.x:9092,EXTERNAL://172.x.x.x:9093
>
> listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
>
> inter.broker.listener.name=INTERNAL
>
> On Wed, May 31, 2017 at 6:22 PM, Raghav <raghavas...@gmail.com> wrote:
>
> > Hello Darshan
> >
> > Have you tried SSL://0.0.0.0:9093 ?
> >
> > Rajani had suggested something similar to me a week back while I was
> > trying to get a ACL based setup.
> >
> > Thanks.
> >
> > On Wed, May 31, 2017 at 8:58 AM, Darshan <purandare.dars...@gmail.com>
> > wrote:
> >
> >> Hi
> >>
> >> Our Kafka broker has two IPs on two different interfaces.
> >>
> >> eth0 has 172.x.x.x for external leg
> >> eth1 has 1.x.x.x for internal leg
> >>
> >>
> >> Kafka Producer is on 172.x.x.x subnet, and Kafka Consumer is on 1.x.x.x
> >> subnet.
> >>
> >> If we use advertised.listeners=SSL://172.x.x.x:9093, then Producer can
> >> producer the message, but Consumer cannot receive the message.
> >>
> >> What value should we use for advertised.listeners so that Producer can
> >> write and Consumers can read ?
> >>
> >> Thanks.
> >>
> >
> >
> >
> > --
> > Raghav
> >
>

Reply via email to