kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manikumar <manikumar.re...@gmail.com>
Subject Re: Kafka ACL \ SASL issue.
Date Sat, 01 Apr 2017 03:33:48 GMT
In jass config, Client section is used to authenticate a SASL connection
with zookeeper.
It is necessary to have the same principal name across all brokers.

http://kafka.apache.org/documentation.html#security_jaas_broker

On Sat, Apr 1, 2017 at 5:50 AM, Shrikant Patel <SPatel@pdxinc.com> wrote:

> Hi All,
>
> We using SASL for Authentication between Kafka and ZK. Followed -
> https://www.confluent.io/blog/apache-kafka-security-
> authorization-authentication-encryption/
>
> We have 3 Kafka node, on each node, we have principal="kafka/server_no.
> xxx.com@XXX.COM. So
>
> On first node in kafka_server_jaas.conf, principal is set to
> principal="kafka/server1.xxx.com@XXX.COM"
> On second node in kafka_server_jaas.conf, principal is set to
> principal="kafka/server2.xxx.com@XXX.COM"
> On third node in kafka_server_jaas.conf, principal is set to
> principal="kafka/server3.xxx.com@XXX.COM"
>
> When runt the ACL command from node 1, it successful. It all works, but I
> cannot run ACL from other 2 nodes. On other 2 nodes it fails, with error
>
> [2017-03-31 18:44:38,629] ERROR Conditional update of path
> /kafka-acl/Topic/shri-topic with data {"version":1,"acls":[{"
> principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,
> C=xx","permissionType":"Allow","operation":"Describe","host"
> :"*"},{"principal":"User:CN=spatel-lt,OU=arch,O=pdx inc,L=fort
> worth,ST=tx,C=us","permissionType":"Allow","operation":"Write","host":"*"}]}
> and expected version 0 failed due to org.apache.zookeeper.KeeperException$NoAuthException:
> KeeperErrorCode = NoAuth for /kafka-acl/Topic/shri-topic
> (kafka.utils.ZkUtils)
>
> When I look at ZK kafka-acl node, it only permission for first node, I
> understand the reason it does other to run ACL, even though they valid
> keytab.
>
> getAcl /kafka-acl
> 'world,'anyone
> : r
> 'sasl,'kafka/server1.xxx.com@XXX.COM
> : cdrwa
>
> It this bug or am I doing something wrong here.
>
> Thanks,
> Shri
>
> This e-mail and its contents (to include attachments) are the property of
> National Health Systems, Inc., its subsidiaries and affiliates, including
> but not limited to Rx.com Community Healthcare Network, Inc. and its
> subsidiaries, and may contain confidential and proprietary or privileged
> information. If you are not the intended recipient of this e-mail, you are
> hereby notified that any unauthorized disclosure, copying, or distribution
> of this e-mail or of its attachments, or the taking of any unauthorized
> action based on information contained herein is strictly prohibited.
> Unauthorized use of information contained herein may subject you to civil
> and criminal prosecution and penalties. If you are not the intended
> recipient, please immediately notify the sender by telephone at
> 800-433-5719 or return e-mail and permanently delete the original e-mail.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message