is auto topic creation enabled on server? Any deny logs in
kafka-authorizer.log?
What is the inter-broker protocol configured? If it is SSL, SSL user should
have ClusterAction permission.
On Mon, Aug 20, 2018 at 3:33 PM Matt L <matt.l...@gmail.com> wrote:
> Hello,
>
> Having trouble when publishing and consuming from a topic with
> SASL_PLAINTEXT.
>
> Both ZK and Kafka start successfully, in logs I see SASL_PLAINTEXT on 9093
> as being available.
>
> kafka.log:[2018-08-20 03:31:08,202] INFO Registered broker 1 at path
> /brokers/ids/1 with addresses:
>
> EndPoint(kafkabroker1,9092,ListenerName(SSL),SSL),EndPoint(kafkabroker1,9093,ListenerName(SASL_PLAINTEXT),SASL_PLAINTEXT)
> (kafka.utils.ZkUtils:70)
>
>
> When i try to publish, e.g.
> bin/kafka-console-producer --broker-list kafkabroker1:9093 \
> --topic testtopic1 --producer.config /tmp/sasl-producer.properties
>
> I get:
>
> [2018-08-20 08:37:35,075] WARN Error while fetching metadata with
> correlation id 3 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> (org.apache.kafka.clients.NetworkClient)
> [2018-08-20 08:37:35,176] WARN Error while fetching metadata with
> correlation id 4 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> (org.apache.kafka.clients.NetworkClient)
> [2018-08-20 08:37:35,277] WARN Error while fetching metadata with
> correlation id 5 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> (org.apache.kafka.clients.NetworkClient)
>
>
> What I've verified:
> 1) Client can resolve advertisted.listeners on all brokers. (prior to
> enabling SASL, PLAINTEXT and SSL work with my set advertisted.listerners)
> 2) In my sasl-producer.properties, im authenticating with user Kafka. Kafka
> has been set as super user and in kafka-authorizer.log, I see "
>
> [2018-08-20 08:27:19,971] DEBUG principal = User:kafka is a super user,
> allowing operation without checking acls. (kafka.authorizer.logger)
> [2018-08-20 08:27:19,971] DEBUG Principal = User:kafka is Allowed Operation
> = Describe from host = 10.10.52.1 on resource = Topic:testtopic1
> (kafka.authorizer.logger)
> [2018-08-20 08:27:20,072] DEBUG operation = Read on resource = Topic:
> testtopic1 from host = 10.10.52.1 is Allow based on acl = User:kafka has
> Allow permission for operations: All from hosts: *
> (kafka.authorizer.logger)
>
> and from the kafka.log's in DEBUG:
> [2018-08-20 09:35:48,364] DEBUG principal = User:kafka is a super user,
> allowing operation without checking acls. (kafka.authorizer.logger:159)
> [2018-08-20 09:35:48,364] DEBUG Principal = User:kafka is Allowed Operation
> = Describe from host = 10.89.64.7 on resource = Topic:kerbtest1
> (kafka.authorizer.logger:251)
> [2018-08-20 09:35:48,364] DEBUG Completed
>
> request:{api_key=3,api_version=4,correlation_id=186,client_id=console-producer}
> -- {topics=[kerbtest1],allow_auto_topic_creation=true} from connection
> 10.10.52.1:9093-10.10.52.1
> :42752;totalTime:0.461000,requestQueueTime:0.033000,localTime:0.346000,remoteTime:0.000000,throttleTime:0.033000,responseQueueTime:0.030000,sendTime:0.066000,securityProtocol:SASL_PLAINTEXT,principal:User:kafka,listener:SASL_PLAINTEXT
> (kafka.request.logger:193)
>
>
> I'm assuming everything is okay from an ACL standpoint but when the client
> cannot get the topic metadata from the returned advertisted listeners?
> Any ideas on what I could be missing? Could this be something with ZK
> setup/any authentication I am missing there? I had even tried "
> skipACL=yes"
> but that did not change anything.
>
> Thanks!
>
