But thanks anyway for the quick answer.

Op do 23 aug. 2018 om 14:38 schreef HG <hanspeter.sl...@gmail.com>:

> Well it works fine when I do :
>  export
> "KAFKA_OPTS=-Djava.security.auth.login.config=/u01/kafka/config/kafka_server_jaas.conf"
>
> Op do 23 aug. 2018 om 14:25 schreef Manikumar <manikumar.re...@gmail.com>:
>
>> *zk does  NOT support PlainLoginModule.*
>>
>> On Thu, Aug 23, 2018 at 5:54 PM Manikumar <manikumar.re...@gmail.com>
>> wrote:
>>
>> > No, zk does support PlainLoginModule. while using kafka-acls.sh script
>> > with kerberized zk,
>> > we need to pass required kerberos credentials.
>> >
>> > AdminClient API is an api to perform administrative actions
>> (create/delete
>> > topics, create/delete acls etc..).
>> > This avoids direct communication with zk. Check below links for more
>> > details:
>> >
>> > *
>> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
>> > <
>> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html
>> >*
>> > Examples: https://github.com/apache/kafka/pull/5200/files
>> > http://kafka.apache.org/documentation/#adminclientconfigs
>> > To configure SASL/PLAIN on clients:
>> > http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
>> >
>> > On Thu, Aug 23, 2018 at 5:20 PM HG <hanspeter.sl...@gmail.com> wrote:
>> >
>> >> Hi,
>> >>
>> >> I am not using kerberos only
>> >>
>> >> Client {
>> >>    org.apache.kafka.common.security.plain.PlainLoginModule required
>> >>    username="user"
>> >>    password="user-secret";
>> >> };
>> >>
>> >> Does that make a difference?
>> >>
>> >> What do you mean with AdminClient API?
>> >>
>> >> Regards Hans
>> >>
>> >> Op do 23 aug. 2018 om 13:34 schreef Manikumar <
>> manikumar.re...@gmail.com
>> >> >:
>> >>
>> >> > We can pass jaas conf by exporting below variable before starting the
>> >> > kafka-acls.sh script. another option is to use AdminClient API.
>> >> >
>> >> > export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf
>> >> > -Djava.security.auth.login.config=zk_client_jaas.conf"
>> >> >
>> >> > zk_client_jaas.conf:
>> >> > // Zookeeper client authentication
>> >> > Client {
>> >> > com.sun.security.auth.module.Krb5LoginModule required
>> >> > useKeyTab=true
>> >> > storeKey=true
>> >> > keyTab="/etc/security/keytabs/kafka_server.keytab"
>> >> > principal="kafka/kafka1.hostname....@example.com";
>> >> > };
>> >> >
>> >> > On Thu, Aug 23, 2018 at 4:44 PM HG <hanspeter.sl...@gmail.com>
>> wrote:
>> >> >
>> >> > > Hi,
>> >> > >
>> >> > > I searched for an option with which I can provide credentials but I
>> >> did
>> >> > not
>> >> > > find them.
>> >> > > Is there another way to reach the same goal?
>> >> > > Regards Hans
>> >> > >
>> >> > > Op do 23 aug. 2018 om 13:00 schreef Manikumar <
>> >> manikumar.re...@gmail.com
>> >> > >:
>> >> > >
>> >> > > > "kafka-acls.sh" script  communicates directly with zookeeper.
>> >> > > > We should run kafka-acls.sh as kafka user (super user) to get
>> write
>> >> > > > permission on zk.
>> >> > > > We should pass required jaas conf to the script.
>> >> > > >
>> >> > > > On Thu, Aug 23, 2018 at 3:02 PM HG <hanspeter.sl...@gmail.com>
>> >> wrote:
>> >> > > >
>> >> > > > > Hi,
>> >> > > > >
>> >> > > > > I have an environment with SSL, SASL and ACL's enabled.
>> >> > > > > When I set zookeeper.set_acl=true in the server.properties
>> file of
>> >> > the
>> >> > > > > brokers I cannot create topics , ACL's  etc.
>> >> > > > >
>> >> > > > > [root@host201 kafka]# bin/kafka-acls.sh
>> --authorizer-properties
>> >> > > > > zookeeper.connect=localhost:2181 --add  --allow-principal
>> >> User:admin
>> >> > > > > --operation All --topic '*' --cluster
>> >> > > > > Error while executing ACL command: KeeperErrorCode = NoAuth for
>> >> > > > > /kafka-acl/Topic
>> >> > > > > org.apache.zookeeper.KeeperException$NoAuthException:
>> >> > KeeperErrorCode =
>> >> > > > > NoAuth for /kafka-acl/Topic
>> >> > > > >         at
>> >> > > > >
>> >> org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
>> >> > > > >     ..
>> >> > > > > I have specified super users too in the server.properties.
>> >> > > > >
>> >> > > > > Any idea's what I am doing wrong?
>> >> > > > >
>> >> > > > > Regards Hans
>> >> > > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> >
>>
>

Reply via email to