kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raghu B <raghu98...@gmail.com>
Subject Re: Kafka ACL's with SSL Protocol is not working
Date Fri, 16 Dec 2016 22:16:37 GMT
Thank you Rajani, your suggestion is really helpful.


[2016-12-16 21:55:36,720] DEBUG Principal =
User:CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown is
Allowed Operation = Create from host = 172.28.89.63 on resource =
Cluster:kafka-cluster (kafka.authorizer.logger)

Finally I am getting the user as exactly what I set in my SSL-Cert (Not
Anonymous).

But, I am getting another Error i.e


[2016-12-16 13:55:36,449] WARN Error while fetching metadata with
correlation id 45 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2016-12-16 13:55:36,609] WARN Error while fetching metadata with
correlation id 46 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2016-12-16 13:55:36,766] WARN Error while fetching metadata with
correlation id 47 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)


I created the topic and my kafka node is working without any issues (I
restarted several time)

[raghu@Kafka-238343-1-33109167 kafka_2.11-0.10.1.0]$ *bin/kafka-topics.sh
--describe --zookeeper localhost:2181 --topic my-ssl-topic*

Topic:my-ssl-topic PartitionCount:1 ReplicationFactor:1 Configs:
Topic: my-ssl-topic Partition: 0 Leader: 0 Replicas: 0 Isr: 0

Thanks in advance,
Raghu


On Fri, Dec 16, 2016 at 1:30 AM, Rajini Sivaram <rsivaram@pivotal.io> wrote:

> You need to set ssl.client.auth="required" in server.properties.
>
> Regards,
>
> Rajini
>
> On Wed, Dec 14, 2016 at 12:12 AM, Raghu B <raghu98499@gmail.com> wrote:
>
> > Hi All,
> >
> > I am trying to enable ACL's in my Kafka cluster with along with SSL
> > Protocol.
> >
> > I tried with each and every parameters but no luck, so I need help to
> > enable the SSL(without Kerberos) and I am attaching all the configuration
> > details in this.
> >
> > Kindly Help me.
> >
> >
> > *I tested SSL without ACL, it worked fine
> > (listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>)*
> >
> >
> > *This is my Kafka server properties file:*
> >
> > *############################# ACL SETTINGS
> #############################*
> >
> > *auto.create.topics.enable=true*
> >
> > *authorizer.class.name
> > <http://authorizer.class.name>=kafka.security.auth.SimpleAclAuthorizer*
> >
> > *security.inter.broker.protocol=SSL*
> >
> > *#allow.everyone.if.no.acl.found=true*
> >
> > *#principal.builder.class=CustomizedPrincipalBuilderClass*
> >
> > *#super.users=User:"CN=writeuser,OU=Unknown,O=
> > Unknown,L=Unknown,ST=Unknown,C=Unknown"*
> >
> > *#super.users=User:Raghu;User:Admin*
> >
> > *#offsets.storage=kafka*
> >
> > *#dual.commit.enabled=true*
> >
> > *listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>*
> >
> > *#listeners=PLAINTEXT://10.247.195.122:9092 <http://10.247.195.122:9092
> >*
> >
> > *#listeners=PLAINTEXT://10.247.195.122:9092
> > <http://10.247.195.122:9092>,SSL://10.247.195.122:9093
> > <http://10.247.195.122:9093>*
> >
> > *#advertised.listeners=PLAINTEXT://10.247.195.122:9092
> > <http://10.247.195.122:9092>*
> >
> >
> > *
> > ssl.keystore.location=/home/raghu/kafka/security/server.keystore.jks*
> >
> > *        ssl.keystore.password=123456*
> >
> > *        ssl.key.password=123456*
> >
> > *
> > ssl.truststore.location=/home/raghu/kafka/security/server.
> truststore.jks*
> >
> > *        ssl.truststore.password=123456*
> >
> >
> >
> > *Set the ACL from Authorizer CLI:*
> >
> > > *bin/kafka-acls.sh --authorizer-properties
> > zookeeper.connect=10.247.195.122:2181 <http://10.247.195.122:2181>
> --list
> > --topic ssltopic*
> >
> > *Current ACLs for resource `Topic:ssltopic`: *
> >
> > *  User:CN=writeuser, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> > C=Unknown has Allow permission for operations: Write from hosts: * *
> >
> >
> > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-producer.sh
> > --broker-list 10.247.195.122:9093 <http://10.247.195.122:9093> --topic
> > ssltopic --producer.config client-ssl.properties*
> >
> >
> > *[2016-12-13 14:53:45,839] WARN Error while fetching metadata with
> > correlation id 0 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)*
> >
> > *[2016-12-13 14:53:45,984] WARN Error while fetching metadata with
> > correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)*
> >
> >
> > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ cat client-ssl.properties*
> >
> > *#group.id <http://group.id>=sslgroup*
> >
> > *security.protocol=SSL*
> >
> > *ssl.truststore.location=/Users/rbaddam/Desktop/Dev/
> > kafka_2.11-0.10.1.0/ssl/client.truststore.jks*
> >
> > *ssl.truststore.password=123456*
> >
> > * #Configure Below if you use Client Auth*
> >
> >
> > *ssl.keystore.location=/Users/rbaddam/Desktop/Dev/kafka_2.
> > 11-0.10.1.0/ssl/client.keystore.jks*
> >
> > *ssl.keystore.password=123456*
> >
> > *ssl.key.password=123456*
> >
> >
> > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-consumer.sh
> > --bootstrap-server 10.247.195.122:9093 <http://10.247.195.122:9093>
> > --new-consumer --consumer.config client-ssl.properties --topic ssltopic
> > --from-beginning*
> >
> > *[2016-12-13 14:53:28,817] WARN Error while fetching metadata with
> > correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)*
> >
> > *[2016-12-13 14:53:28,819] ERROR Unknown error when running consumer:
> > (kafka.tools.ConsoleConsumer$)*
> >
> > *org.apache.kafka.common.errors.GroupAuthorizationException: Not
> > authorized
> > to access group: console-consumer-52826*
> >
> >
> > Thanks in advance,
> >
> > Raghu - raghu98499@gmail.com
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message