"allow.everyone.if.no.acl.found" config is applicable for Kafka's inbuilt
authorizer implementation (SimpleAclAuthorizer).
 What is the Kafka version? You can check authorizer debug logs starting
with "No acl found for resource..."
make sure no acls for ANONYMOUS user.  Are you using any custom authorizer?


On Tue, Aug 21, 2018 at 12:21 AM Matt L <matt.l...@gmail.com> wrote:

> Thanks for the pointer Manikumar!
>
> It looks like it was my interbroker communication, this was set to SSL so
> inter broker users were coming in as ANONYMOUS. Once i changed this to
> SASL_SSL I was able to publish/consume.
>
> One remaining question i have is around
> allow.everyone.if.no.acl.found=true. Despite setting this, I still see
> "User:ANONYMOUS is Denied Operation= Describe" in authorizer log. Is there
> something else that needs to be set to enable this? Or is "Describe" not
> part of what this flag sets.
>
> Thanks,
> Matt
>
> On Mon, Aug 20, 2018 at 5:03 AM, Manikumar <manikumar.re...@gmail.com>
> wrote:
>
> > is auto topic creation enabled on server? Any deny logs in
> > kafka-authorizer.log?
> > What is the inter-broker protocol configured? If it is SSL, SSL user
> should
> > have ClusterAction permission.
> >
> > On Mon, Aug 20, 2018 at 3:33 PM Matt L <matt.l...@gmail.com> wrote:
> >
> > > Hello,
> > >
> > > Having trouble when publishing and consuming from a topic with
> > > SASL_PLAINTEXT.
> > >
> > > Both ZK and Kafka start successfully, in logs I see SASL_PLAINTEXT on
> > 9093
> > > as being available.
> > >
> > > kafka.log:[2018-08-20 03:31:08,202] INFO Registered broker 1 at path
> > > /brokers/ids/1 with addresses:
> > >
> > > EndPoint(kafkabroker1,9092,ListenerName(SSL),SSL),
> > EndPoint(kafkabroker1,9093,ListenerName(SASL_PLAINTEXT),SASL_PLAINTEXT)
> > > (kafka.utils.ZkUtils:70)
> > >
> > >
> > > When i try to publish, e.g.
> > >   bin/kafka-console-producer --broker-list kafkabroker1:9093 \
> > >   --topic testtopic1 --producer.config /tmp/sasl-producer.properties
> > >
> > > I get:
> > >
> > > [2018-08-20 08:37:35,075] WARN Error while fetching metadata with
> > > correlation id 3 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > > (org.apache.kafka.clients.NetworkClient)
> > > [2018-08-20 08:37:35,176] WARN Error while fetching metadata with
> > > correlation id 4 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > > (org.apache.kafka.clients.NetworkClient)
> > > [2018-08-20 08:37:35,277] WARN Error while fetching metadata with
> > > correlation id 5 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > > (org.apache.kafka.clients.NetworkClient)
> > >
> > >
> > > What I've verified:
> > > 1) Client can resolve advertisted.listeners on all brokers. (prior to
> > > enabling SASL, PLAINTEXT and SSL work with my set
> advertisted.listerners)
> > > 2) In my sasl-producer.properties, im authenticating with user Kafka.
> > Kafka
> > > has been set as super user and in kafka-authorizer.log, I see "
> > >
> > > [2018-08-20 08:27:19,971] DEBUG principal = User:kafka is a super user,
> > > allowing operation without checking acls. (kafka.authorizer.logger)
> > > [2018-08-20 08:27:19,971] DEBUG Principal = User:kafka is Allowed
> > Operation
> > > = Describe from host = 10.10.52.1 on resource = Topic:testtopic1
> > > (kafka.authorizer.logger)
> > > [2018-08-20 08:27:20,072] DEBUG operation = Read on resource = Topic:
> > > testtopic1 from host = 10.10.52.1 is Allow based on acl = User:kafka
> has
> > > Allow permission for operations: All from hosts: *
> > > (kafka.authorizer.logger)
> > >
> > > and from the kafka.log's in DEBUG:
> > > [2018-08-20 09:35:48,364] DEBUG principal = User:kafka is a super user,
> > > allowing operation without checking acls. (kafka.authorizer.logger:159)
> > > [2018-08-20 09:35:48,364] DEBUG Principal = User:kafka is Allowed
> > Operation
> > > = Describe from host = 10.89.64.7 on resource = Topic:kerbtest1
> > > (kafka.authorizer.logger:251)
> > > [2018-08-20 09:35:48,364] DEBUG Completed
> > >
> > > request:{api_key=3,api_version=4,correlation_id=186,
> > client_id=console-producer}
> > > -- {topics=[kerbtest1],allow_auto_topic_creation=true} from connection
> > > 10.10.52.1:9093-10.10.52.1
> > > :42752;totalTime:0.461000,requestQueueTime:0.033000,
> > localTime:0.346000,remoteTime:0.000000,throttleTime:0.
> >
> 033000,responseQueueTime:0.030000,sendTime:0.066000,securityProtocol:SASL_
> > PLAINTEXT,principal:User:kafka,listener:SASL_PLAINTEXT
> > > (kafka.request.logger:193)
> > >
> > >
> > > I'm assuming everything is okay from an ACL standpoint but when the
> > client
> > > cannot get the topic metadata from the returned advertisted listeners?
> > > Any ideas on what I could be missing? Could this be something with ZK
> > > setup/any authentication I am missing there?  I had even tried "
> > > skipACL=yes"
> > > but that did not change anything.
> > >
> > > Thanks!
> > >
> >
>

Reply via email to