No, zk does support PlainLoginModule. while using kafka-acls.sh script with kerberized zk, we need to pass required kerberos credentials.
AdminClient API is an api to perform administrative actions (create/delete topics, create/delete acls etc..). This avoids direct communication with zk. Check below links for more details: *https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html <https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html>* Examples: https://github.com/apache/kafka/pull/5200/files http://kafka.apache.org/documentation/#adminclientconfigs To configure SASL/PLAIN on clients: http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig On Thu, Aug 23, 2018 at 5:20 PM HG <hanspeter.sl...@gmail.com> wrote: > Hi, > > I am not using kerberos only > > Client { > org.apache.kafka.common.security.plain.PlainLoginModule required > username="user" > password="user-secret"; > }; > > Does that make a difference? > > What do you mean with AdminClient API? > > Regards Hans > > Op do 23 aug. 2018 om 13:34 schreef Manikumar <manikumar.re...@gmail.com>: > > > We can pass jaas conf by exporting below variable before starting the > > kafka-acls.sh script. another option is to use AdminClient API. > > > > export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf > > -Djava.security.auth.login.config=zk_client_jaas.conf" > > > > zk_client_jaas.conf: > > // Zookeeper client authentication > > Client { > > com.sun.security.auth.module.Krb5LoginModule required > > useKeyTab=true > > storeKey=true > > keyTab="/etc/security/keytabs/kafka_server.keytab" > > principal="kafka/kafka1.hostname....@example.com"; > > }; > > > > On Thu, Aug 23, 2018 at 4:44 PM HG <hanspeter.sl...@gmail.com> wrote: > > > > > Hi, > > > > > > I searched for an option with which I can provide credentials but I did > > not > > > find them. > > > Is there another way to reach the same goal? > > > Regards Hans > > > > > > Op do 23 aug. 2018 om 13:00 schreef Manikumar < > manikumar.re...@gmail.com > > >: > > > > > > > "kafka-acls.sh" script communicates directly with zookeeper. > > > > We should run kafka-acls.sh as kafka user (super user) to get write > > > > permission on zk. > > > > We should pass required jaas conf to the script. > > > > > > > > On Thu, Aug 23, 2018 at 3:02 PM HG <hanspeter.sl...@gmail.com> > wrote: > > > > > > > > > Hi, > > > > > > > > > > I have an environment with SSL, SASL and ACL's enabled. > > > > > When I set zookeeper.set_acl=true in the server.properties file of > > the > > > > > brokers I cannot create topics , ACL's etc. > > > > > > > > > > [root@host201 kafka]# bin/kafka-acls.sh --authorizer-properties > > > > > zookeeper.connect=localhost:2181 --add --allow-principal > User:admin > > > > > --operation All --topic '*' --cluster > > > > > Error while executing ACL command: KeeperErrorCode = NoAuth for > > > > > /kafka-acl/Topic > > > > > org.apache.zookeeper.KeeperException$NoAuthException: > > KeeperErrorCode = > > > > > NoAuth for /kafka-acl/Topic > > > > > at > > > > > > org.apache.zookeeper.KeeperException.create(KeeperException.java:113) > > > > > .. > > > > > I have specified super users too in the server.properties. > > > > > > > > > > Any idea's what I am doing wrong? > > > > > > > > > > Regards Hans > > > > > > > > > > > > > > >
