kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shrikant Patel <SPa...@pdxinc.com>
Subject Kafka ACL \ SASL issue.
Date Sat, 01 Apr 2017 00:20:45 GMT
Hi All,

We using SASL for Authentication between Kafka and ZK. Followed - https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We have 3 Kafka node, on each node, we have principal="kafka/server_no.xxx.com@XXX.COM. So

On first node in kafka_server_jaas.conf, principal is set to principal="kafka/server1.xxx.com@XXX.COM"
On second node in kafka_server_jaas.conf, principal is set to principal="kafka/server2.xxx.com@XXX.COM"
On third node in kafka_server_jaas.conf, principal is set to principal="kafka/server3.xxx.com@XXX.COM"

When runt the ACL command from node 1, it successful. It all works, but I cannot run ACL from
other 2 nodes. On other 2 nodes it fails, with error

[2017-03-31 18:44:38,629] ERROR Conditional update of path /kafka-acl/Topic/shri-topic with
data {"version":1,"acls":[{"principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=spatel-lt,OU=arch,O=pdx
inc,L=fort worth,ST=tx,C=us","permissionType":"Allow","operation":"Write","host":"*"}]} and
expected version 0 failed due to org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode
= NoAuth for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)

When I look at ZK kafka-acl node, it only permission for first node, I understand the reason
it does other to run ACL, even though they valid keytab.

getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/server1.xxx.com@XXX.COM
: cdrwa

It this bug or am I doing something wrong here.

Thanks,
Shri

This e-mail and its contents (to include attachments) are the property of National Health
Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community
Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary
or privileged information. If you are not the intended recipient of this e-mail, you are hereby
notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its
attachments, or the taking of any unauthorized action based on information contained herein
is strictly prohibited. Unauthorized use of information contained herein may subject you to
civil and criminal prosecution and penalties. If you are not the intended recipient, please
immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently
delete the original e-mail.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message