kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bala <kbkre...@yahoo.com.INVALID>
Subject Re: Kafka ACL issue - Operation denied despite having full access to the topic
Date Sat, 29 Sep 2018 16:06:06 GMT
 
Wow, good catch. I am using the HDP distribution and when I looked at the config for the kafka,
the super user is set as `user:kafka`. I think this deserves a explicit mention in the docs
about using the upper case "User".
Thanks for the help. Now I am unblocked on this issue, am getting a different error "Error
while fetching metadata with correlation id 2 : {mytopic=LEADER_NOT_AVAILABLE}". Will look
into that
ThanksBala
    On Saturday, September 29, 2018, 11:43:13 AM EDT, Manikumar <manikumar.reddy@gmail.com>
wrote:  
 
 PrincipalType  string "User" is case sensitive. Try creating acls for
"User:storm-mytestcluster" principal.

On Sat, Sep 29, 2018 at 9:04 PM Bala <kbkreddy@yahoo.com.invalid> wrote:

>  Yes, I followed all the docs and thing is it's connecting as expected and
> sending the right user to the server. The problem is that when I list ACL's
> I am seeing that the user has all the access. But when the producer trying
> to connect to the server, the server is logging message saying that the
> user is denied. Something is not right and I want to know how to debug this
> further to find out why the server thinks the user has no access.
>
> I even tried adding the user to the super users and still not able to
> access the topic.
> I am using Kafka 1.0.0.
>    On Friday, September 28, 2018, 8:14:30 PM EDT, Vahid Hashemian <
> vahid.hashemian@gmail.com> wrote:
>
>  Your produce needs to have Write access to the topic. But as you mentioned
> All should cover Write. Which version of Kafka are you using?
> FYI, more authn/authz information can be found here for some of the common
> client operations:
> https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/
>
> --Vahid
>
> On Fri, Sep 28, 2018 at 9:13 AM Bala <kbkreddy@yahoo.com.invalid> wrote:
>
> > Producer using the Java API. I did configure the jaas config as per docs.
> > It looks like is working and the authentication is succeeded but the
> > authorization is not honoring the ACL
> >    On Friday, September 28, 2018, 11:56:24 AM EDT, Vahid Hashemian <
> > vahid.hashemian@gmail.com> wrote:
> >
> >  Hi Bala,
> >
> > What operation/command are you trying that gives you this error?
> >
> > --Vahid
> >
> > On Fri, Sep 28, 2018 at 7:12 AM Bala <kbkreddy@yahoo.com.invalid> wrote:
> >
> > > I have a kafka with kerberos security and trying to use the ACL and am
> > not
> > > able to make it work.
> > >
> > > Here is the error I am seeing in the server log.[2018-09-28
> 14:06:54,152]
> > > INFO Principal = User:storm-mytestcluster is Denied Operation =
> Describe
> > > from host = <ip address of host> on resource = Topic:icd_alpha
> > > (kafka.authorizer.logger)
> > > [2018-09-28 14:06:54,312] INFO Principal = User:storm-mytestcluster is
> > > Denied Operation = Describe from host = <ip address of host> on
> resource
> > =
> > > Topic:icd_alpha (kafka.authorizer.logger)
> > > [2018-09-28 14:06:54,472] INFO Principal = User:storm-mytestcluster is
> > > Denied Operation = Describe from host = <ip address of host> on
> resource
> > =
> > > Topic:icd_alpha (kafka.authorizer.logger)
> > > [2018-09-28 14:06:54,631] INFO Principal = User:storm-mytestcluster is
> > > Denied Operation = Describe from host = <ip address of host> on
> resource
> > =
> > > Topic:icd_alpha (kafka.authorizer.logger)
> > > [2018-09-28 14:06:54,793] INFO Principal = User:storm-mytestcluster is
> > > Denied Operation = Describe from host = <ip address of host> on
> resource
> > =
> > > Topic:icd_alpha (kafka.authorizer.logger)
> > > [2018-09-28 14:06:54,953] INFO Principal = User:storm-mytestcluster is
> > > Denied Operation = Describe from host = <ip address of host> on
> resource
> > =
> > > Topic:icd_alpha (kafka.authorizer.logger)
> > >
> > >
> > >
> > > But the user has full access to the topic: Here is the output of `list
> `
> > > command
> > >
> > > Current ACLs for resource `Topic:icd_alpha`:
> > >      user:storm-mytestcluster has Allow permission for operations: All
> > > from hosts: *
> > >
> > > Please help me, as I am kind of blocked and don't know how to proceed
> > > further.
> > > ThanksBala
> > >
> >
>
  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message