But thanks anyway for the quick answer.
Op do 23 aug. 2018 om 14:38 schreef HG <hanspeter.sl...@gmail.com>: > Well it works fine when I do : > export > "KAFKA_OPTS=-Djava.security.auth.login.config=/u01/kafka/config/kafka_server_jaas.conf" > > Op do 23 aug. 2018 om 14:25 schreef Manikumar <manikumar.re...@gmail.com>: > >> *zk does NOT support PlainLoginModule.* >> >> On Thu, Aug 23, 2018 at 5:54 PM Manikumar <manikumar.re...@gmail.com> >> wrote: >> >> > No, zk does support PlainLoginModule. while using kafka-acls.sh script >> > with kerberized zk, >> > we need to pass required kerberos credentials. >> > >> > AdminClient API is an api to perform administrative actions >> (create/delete >> > topics, create/delete acls etc..). >> > This avoids direct communication with zk. Check below links for more >> > details: >> > >> > * >> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html >> > < >> https://kafka.apache.org/20/javadoc/org/apache/kafka/clients/admin/KafkaAdminClient.html >> >* >> > Examples: https://github.com/apache/kafka/pull/5200/files >> > http://kafka.apache.org/documentation/#adminclientconfigs >> > To configure SASL/PLAIN on clients: >> > http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig >> > >> > On Thu, Aug 23, 2018 at 5:20 PM HG <hanspeter.sl...@gmail.com> wrote: >> > >> >> Hi, >> >> >> >> I am not using kerberos only >> >> >> >> Client { >> >> org.apache.kafka.common.security.plain.PlainLoginModule required >> >> username="user" >> >> password="user-secret"; >> >> }; >> >> >> >> Does that make a difference? >> >> >> >> What do you mean with AdminClient API? >> >> >> >> Regards Hans >> >> >> >> Op do 23 aug. 2018 om 13:34 schreef Manikumar < >> manikumar.re...@gmail.com >> >> >: >> >> >> >> > We can pass jaas conf by exporting below variable before starting the >> >> > kafka-acls.sh script. another option is to use AdminClient API. >> >> > >> >> > export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf >> >> > -Djava.security.auth.login.config=zk_client_jaas.conf" >> >> > >> >> > zk_client_jaas.conf: >> >> > // Zookeeper client authentication >> >> > Client { >> >> > com.sun.security.auth.module.Krb5LoginModule required >> >> > useKeyTab=true >> >> > storeKey=true >> >> > keyTab="/etc/security/keytabs/kafka_server.keytab" >> >> > principal="kafka/kafka1.hostname....@example.com"; >> >> > }; >> >> > >> >> > On Thu, Aug 23, 2018 at 4:44 PM HG <hanspeter.sl...@gmail.com> >> wrote: >> >> > >> >> > > Hi, >> >> > > >> >> > > I searched for an option with which I can provide credentials but I >> >> did >> >> > not >> >> > > find them. >> >> > > Is there another way to reach the same goal? >> >> > > Regards Hans >> >> > > >> >> > > Op do 23 aug. 2018 om 13:00 schreef Manikumar < >> >> manikumar.re...@gmail.com >> >> > >: >> >> > > >> >> > > > "kafka-acls.sh" script communicates directly with zookeeper. >> >> > > > We should run kafka-acls.sh as kafka user (super user) to get >> write >> >> > > > permission on zk. >> >> > > > We should pass required jaas conf to the script. >> >> > > > >> >> > > > On Thu, Aug 23, 2018 at 3:02 PM HG <hanspeter.sl...@gmail.com> >> >> wrote: >> >> > > > >> >> > > > > Hi, >> >> > > > > >> >> > > > > I have an environment with SSL, SASL and ACL's enabled. >> >> > > > > When I set zookeeper.set_acl=true in the server.properties >> file of >> >> > the >> >> > > > > brokers I cannot create topics , ACL's etc. >> >> > > > > >> >> > > > > [root@host201 kafka]# bin/kafka-acls.sh >> --authorizer-properties >> >> > > > > zookeeper.connect=localhost:2181 --add --allow-principal >> >> User:admin >> >> > > > > --operation All --topic '*' --cluster >> >> > > > > Error while executing ACL command: KeeperErrorCode = NoAuth for >> >> > > > > /kafka-acl/Topic >> >> > > > > org.apache.zookeeper.KeeperException$NoAuthException: >> >> > KeeperErrorCode = >> >> > > > > NoAuth for /kafka-acl/Topic >> >> > > > > at >> >> > > > > >> >> org.apache.zookeeper.KeeperException.create(KeeperException.java:113) >> >> > > > > .. >> >> > > > > I have specified super users too in the server.properties. >> >> > > > > >> >> > > > > Any idea's what I am doing wrong? >> >> > > > > >> >> > > > > Regards Hans >> >> > > > > >> >> > > > >> >> > > >> >> > >> >> >> > >> >
