kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darshan <purandare.dars...@gmail.com>
Subject Re: advertised.listeners
Date Tue, 03 Apr 2018 22:47:54 GMT
We are using 0.10.2.1 and ZK 3.4.9. Can something be derived from this
piece of info ? Thanks.

On Tue, Apr 3, 2018 at 3:13 PM, Martin Gainty <mgainty@hotmail.com> wrote:

> tracert MessageBrokerIP
>
> do you see ZK server in the trace?
>
> if yes then you are running kafka-cluster
>
> (ZK does not support mixed mode but there is a backdoor
> zookeeper.properties config attribute that allows plaintext clients to
> bypass sasl auth)
>
> ?
>
> Martin
> ______________________________________________
>
>
>
> ________________________________
> From: Darshan <purandare.darshan@gmail.com>
> Sent: Tuesday, April 3, 2018 5:45 PM
> To: rajinisivaram@gmail.com
> Cc: users@kafka.apache.org
> Subject: Re: advertised.listeners
>
> Hi Rajini
>
> The above configuration that you mentioned a while back helped me sort the
> issue of listeners and I was also able to run Kafka 0.10.2.1 with SSL and
> ACLs as well from one of your other posts.
>
> I wanted to ask you if it is possible to run Kafka in a mixed security
> mode? i.e. external producers who are on 172.x.x.x interface can use the
> SSL to send/receive data from/to our Kafka brokers, but our internal
> consumer can read/write on PLAINTEXT channel to Kafka.
>
> Here is my server.properties, but my internal producer which does not have
> any keystore and truststore is getting the following error:
> *[2018-04-03 21:21:04,378] WARN Error while fetching metadata with
> correlation id 1 : {Topic4006=TOPIC_AUTHORIZATION_FAILED}
> (org.apache.kafka.clients.NetworkClient)*
>
>
> *server.properties for our Kafka-1,2,3. They are identical except
> broker.id
> <http://broker.id> and super.users properties.*
> broker.id -&nbspThis website is for sale! -&nbspbroker Resources and
> Information.<http://broker.id/>
> broker.id
> This website is for sale! broker.id is your first and best source for all
> of the information you’re looking for. From general topics to more of what
> you would expect to find here, broker.id has it all. We hope you find
> what you are searching for!
>
>
>
>
> # ID and basic topic creation
> broker.id=1
> auto.create.topics.enable=true
> delete.topic.enable=true
>
> # LISTERN Settings
> listeners=INTERNAL://1.1.1.165:9092,EXTERNAL://172.21.190.176:9093
> advertised.listeners=INTERNAL://1.1.1.165:9092,EXTERNAL://
> 172.21.190.176:9093
> listener.security.protocol.map=INTERNAL:PLAINTEXT,EXTERNAL:SSL
> inter.broker.listener.name=INTERNAL
> host.name=172.21.190.176
>
> # Security Settings
> ssl.keystore.location=keystore.jks
> ssl.keystore.password=password
> ssl.key.password=password
> ssl.truststore.location=truststore.jks
> ssl.truststore.password=password
> ssl.keystore.type=JKS
> ssl.truststore.type=JKS
> security.protocol=SSL
> ssl.client.auth=required
> allow.everyone.if.no.acl.found=false
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> super.users=User:CN=Kafka1
>
> Can you please point out if anything needs to be modified ?
>
> Many thanks.
>
> --Darshan
>
> On Wed, May 31, 2017 at 11:31 AM, Rajini Sivaram <rajinisivaram@gmail.com>
> wrote:
>
> > If you want to use different interfaces with the same security protocol,
> > you can specify listener names. You can then also configure different
> > security properties for internal/external if you need.
> >
> > listeners=INTERNAL://1.x.x.x:9092,EXTERNAL://172.x.x.x:9093
> >
> > advertised.listeners=INTERNAL://1.x.x.x:9092,EXTERNAL://172.x.x.x:9093
> >
> > listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
> >
> > inter.broker.listener.name=INTERNAL
> >
> > On Wed, May 31, 2017 at 6:22 PM, Raghav <raghavastic@gmail.com> wrote:
> >
> > > Hello Darshan
> > >
> > > Have you tried SSL://0.0.0.0:9093 ?
> > >
> > > Rajani had suggested something similar to me a week back while I was
> > > trying to get a ACL based setup.
> > >
> > > Thanks.
> > >
> > > On Wed, May 31, 2017 at 8:58 AM, Darshan <purandare.darshan@gmail.com>
> > > wrote:
> > >
> > >> Hi
> > >>
> > >> Our Kafka broker has two IPs on two different interfaces.
> > >>
> > >> eth0 has 172.x.x.x for external leg
> > >> eth1 has 1.x.x.x for internal leg
> > >>
> > >>
> > >> Kafka Producer is on 172.x.x.x subnet, and Kafka Consumer is on
> 1.x.x.x
> > >> subnet.
> > >>
> > >> If we use advertised.listeners=SSL://172.x.x.x:9093, then Producer
> can
> > >> producer the message, but Consumer cannot receive the message.
> > >>
> > >> What value should we use for advertised.listeners so that Producer can
> > >> write and Consumers can read ?
> > >>
> > >> Thanks.
> > >>
> > >
> > >
> > >
> > > --
> > > Raghav
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message