Thanks for the pointer Manikumar!
It looks like it was my interbroker communication, this was set to SSL so
inter broker users were coming in as ANONYMOUS. Once i changed this to
SASL_SSL I was able to publish/consume.
One remaining question i have is around
allow.everyone.if.no.acl.found=true. Despite setting this, I still see
"User:ANONYMOUS is Denied Operation= Describe" in authorizer log. Is there
something else that needs to be set to enable this? Or is "Describe" not
part of what this flag sets.
Thanks,
Matt
On Mon, Aug 20, 2018 at 5:03 AM, Manikumar <manikumar.re...@gmail.com>
wrote:
> is auto topic creation enabled on server? Any deny logs in
> kafka-authorizer.log?
> What is the inter-broker protocol configured? If it is SSL, SSL user should
> have ClusterAction permission.
>
> On Mon, Aug 20, 2018 at 3:33 PM Matt L <matt.l...@gmail.com> wrote:
>
> > Hello,
> >
> > Having trouble when publishing and consuming from a topic with
> > SASL_PLAINTEXT.
> >
> > Both ZK and Kafka start successfully, in logs I see SASL_PLAINTEXT on
> 9093
> > as being available.
> >
> > kafka.log:[2018-08-20 03:31:08,202] INFO Registered broker 1 at path
> > /brokers/ids/1 with addresses:
> >
> > EndPoint(kafkabroker1,9092,ListenerName(SSL),SSL),
> EndPoint(kafkabroker1,9093,ListenerName(SASL_PLAINTEXT),SASL_PLAINTEXT)
> > (kafka.utils.ZkUtils:70)
> >
> >
> > When i try to publish, e.g.
> > bin/kafka-console-producer --broker-list kafkabroker1:9093 \
> > --topic testtopic1 --producer.config /tmp/sasl-producer.properties
> >
> > I get:
> >
> > [2018-08-20 08:37:35,075] WARN Error while fetching metadata with
> > correlation id 3 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)
> > [2018-08-20 08:37:35,176] WARN Error while fetching metadata with
> > correlation id 4 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)
> > [2018-08-20 08:37:35,277] WARN Error while fetching metadata with
> > correlation id 5 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)
> >
> >
> > What I've verified:
> > 1) Client can resolve advertisted.listeners on all brokers. (prior to
> > enabling SASL, PLAINTEXT and SSL work with my set advertisted.listerners)
> > 2) In my sasl-producer.properties, im authenticating with user Kafka.
> Kafka
> > has been set as super user and in kafka-authorizer.log, I see "
> >
> > [2018-08-20 08:27:19,971] DEBUG principal = User:kafka is a super user,
> > allowing operation without checking acls. (kafka.authorizer.logger)
> > [2018-08-20 08:27:19,971] DEBUG Principal = User:kafka is Allowed
> Operation
> > = Describe from host = 10.10.52.1 on resource = Topic:testtopic1
> > (kafka.authorizer.logger)
> > [2018-08-20 08:27:20,072] DEBUG operation = Read on resource = Topic:
> > testtopic1 from host = 10.10.52.1 is Allow based on acl = User:kafka has
> > Allow permission for operations: All from hosts: *
> > (kafka.authorizer.logger)
> >
> > and from the kafka.log's in DEBUG:
> > [2018-08-20 09:35:48,364] DEBUG principal = User:kafka is a super user,
> > allowing operation without checking acls. (kafka.authorizer.logger:159)
> > [2018-08-20 09:35:48,364] DEBUG Principal = User:kafka is Allowed
> Operation
> > = Describe from host = 10.89.64.7 on resource = Topic:kerbtest1
> > (kafka.authorizer.logger:251)
> > [2018-08-20 09:35:48,364] DEBUG Completed
> >
> > request:{api_key=3,api_version=4,correlation_id=186,
> client_id=console-producer}
> > -- {topics=[kerbtest1],allow_auto_topic_creation=true} from connection
> > 10.10.52.1:9093-10.10.52.1
> > :42752;totalTime:0.461000,requestQueueTime:0.033000,
> localTime:0.346000,remoteTime:0.000000,throttleTime:0.
> 033000,responseQueueTime:0.030000,sendTime:0.066000,securityProtocol:SASL_
> PLAINTEXT,principal:User:kafka,listener:SASL_PLAINTEXT
> > (kafka.request.logger:193)
> >
> >
> > I'm assuming everything is okay from an ACL standpoint but when the
> client
> > cannot get the topic metadata from the returned advertisted listeners?
> > Any ideas on what I could be missing? Could this be something with ZK
> > setup/any authentication I am missing there? I had even tried "
> > skipACL=yes"
> > but that did not change anything.
> >
> > Thanks!
> >
>
