is auto topic creation enabled on server? Any deny logs in kafka-authorizer.log? What is the inter-broker protocol configured? If it is SSL, SSL user should have ClusterAction permission.
On Mon, Aug 20, 2018 at 3:33 PM Matt L <matt.l...@gmail.com> wrote: > Hello, > > Having trouble when publishing and consuming from a topic with > SASL_PLAINTEXT. > > Both ZK and Kafka start successfully, in logs I see SASL_PLAINTEXT on 9093 > as being available. > > kafka.log:[2018-08-20 03:31:08,202] INFO Registered broker 1 at path > /brokers/ids/1 with addresses: > > EndPoint(kafkabroker1,9092,ListenerName(SSL),SSL),EndPoint(kafkabroker1,9093,ListenerName(SASL_PLAINTEXT),SASL_PLAINTEXT) > (kafka.utils.ZkUtils:70) > > > When i try to publish, e.g. > bin/kafka-console-producer --broker-list kafkabroker1:9093 \ > --topic testtopic1 --producer.config /tmp/sasl-producer.properties > > I get: > > [2018-08-20 08:37:35,075] WARN Error while fetching metadata with > correlation id 3 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION} > (org.apache.kafka.clients.NetworkClient) > [2018-08-20 08:37:35,176] WARN Error while fetching metadata with > correlation id 4 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION} > (org.apache.kafka.clients.NetworkClient) > [2018-08-20 08:37:35,277] WARN Error while fetching metadata with > correlation id 5 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION} > (org.apache.kafka.clients.NetworkClient) > > > What I've verified: > 1) Client can resolve advertisted.listeners on all brokers. (prior to > enabling SASL, PLAINTEXT and SSL work with my set advertisted.listerners) > 2) In my sasl-producer.properties, im authenticating with user Kafka. Kafka > has been set as super user and in kafka-authorizer.log, I see " > > [2018-08-20 08:27:19,971] DEBUG principal = User:kafka is a super user, > allowing operation without checking acls. (kafka.authorizer.logger) > [2018-08-20 08:27:19,971] DEBUG Principal = User:kafka is Allowed Operation > = Describe from host = 10.10.52.1 on resource = Topic:testtopic1 > (kafka.authorizer.logger) > [2018-08-20 08:27:20,072] DEBUG operation = Read on resource = Topic: > testtopic1 from host = 10.10.52.1 is Allow based on acl = User:kafka has > Allow permission for operations: All from hosts: * > (kafka.authorizer.logger) > > and from the kafka.log's in DEBUG: > [2018-08-20 09:35:48,364] DEBUG principal = User:kafka is a super user, > allowing operation without checking acls. (kafka.authorizer.logger:159) > [2018-08-20 09:35:48,364] DEBUG Principal = User:kafka is Allowed Operation > = Describe from host = 10.89.64.7 on resource = Topic:kerbtest1 > (kafka.authorizer.logger:251) > [2018-08-20 09:35:48,364] DEBUG Completed > > request:{api_key=3,api_version=4,correlation_id=186,client_id=console-producer} > -- {topics=[kerbtest1],allow_auto_topic_creation=true} from connection > 10.10.52.1:9093-10.10.52.1 > :42752;totalTime:0.461000,requestQueueTime:0.033000,localTime:0.346000,remoteTime:0.000000,throttleTime:0.033000,responseQueueTime:0.030000,sendTime:0.066000,securityProtocol:SASL_PLAINTEXT,principal:User:kafka,listener:SASL_PLAINTEXT > (kafka.request.logger:193) > > > I'm assuming everything is okay from an ACL standpoint but when the client > cannot get the topic metadata from the returned advertisted listeners? > Any ideas on what I could be missing? Could this be something with ZK > setup/any authentication I am missing there? I had even tried " > skipACL=yes" > but that did not change anything. > > Thanks! >