kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jagadish Prasath Ramu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-3687) Internal Authorization Failure at startup with ACLs and security.inter.broker.protocol=PLAINTEXT
Date Tue, 24 Oct 2017 13:06:01 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216861#comment-16216861
] 

Jagadish Prasath Ramu commented on KAFKA-3687:
----------------------------------------------

Same issue is seen in my environment as well:


{noformat}
[2017-10-24 18:32:25,254] WARN Error while fetching metadata with correlation id 349 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2017-10-24 18:32:25,362] WARN Error while fetching metadata with correlation id 350 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2017-10-24 18:32:25,470] WARN Error while fetching metadata with correlation id 351 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2017-10-24 18:32:25,575] WARN Error while fetching metadata with correlation id 352 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
{noformat}


debug messages of "authorizer" seems fine, (no deny messages):
{noformat}
[2017-10-24 18:32:26,319] DEBUG operation = Create on resource = Cluster:kafka-cluster from
host = 127.0.0.1 is Allow based on acl = User:CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX
has Allow permission for operations: Create from hosts: 127.0.0.1 (kafka.authorizer.logger)
[2017-10-24 18:32:26,319] DEBUG Principal = User:CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX
is Allowed Operation = Create from host = 127.0.0.1 on resource = Cluster:kafka-cluster (kafka.authorizer.logger)
{noformat}






> Internal Authorization Failure at startup with ACLs and security.inter.broker.protocol=PLAINTEXT
> ------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-3687
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3687
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 0.10.0.0
>            Reporter: Edoardo Comar
>
> The root cause is this failure in the authorizer.log at server startup:
> [] DEBUG Principal = User:ANONYMOUS is Denied Operation = ClusterAction from host = 192.168.10.22
on resource = Cluster:kafka-cluster (kafka.authorizer.logger)
> and has the *consequence that it's impossible to authorize a producer*.
> Steps to reproduce :
> [~mimaison] and I  launched a single broker and a console producer,
> using the SASL_PLAIN authentication between producer and broker.
> Created a topic "testtopic".
> The broker is configured with the SimpleAclAuthorizer
> and the ACL created for the producer is  :
> ./kafkacls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal
User:edo1  --producer --topic testtopic
> which results in :
> Current ACLs for resource `Topic:testtopic`: 
>  	User:edo1 has Allow permission for operations: Write from hosts: *
> 	User:edo1 has Allow permission for operations: Describe from hosts: * 
> Current ACLs for resource `Cluster:kafka-cluster`: 
>  	User:edo1 has Allow permission for operations: Create from hosts: * 
> However running the producer, we got:
> [] WARN Error while fetching metadata with correlation id 0 : {testtopic=UNKNOWN_TOPIC_OR_PARTITION}
(org.apache.kafka.clients.NetworkClient)
> Looking at the code, the UpdateMedataRequest that the single broker sends to itself on
startup, 
> which come through as a request with User:ANONYMOUS get denied by the Authoriser 
> (in KafkaApis.handleUpdateMetadataRequest)
> and the MetadataCache is never updated.
> When the first producer requests come through, in KafkaApis.handleTopicMetadataRequest
> the MetadataCache is empty and so we get UNKNOWN_TOPIC_OR_PARTITION.
> ================================
> configuration used:
> server.properties:
> listeners=PLAINTEXT://:9092,SASL_PLAINTEXT://:9093
> sasl.enabled.mechanisms=PLAIN
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> producer.properties
> bootstrap.servers=localhost:9093
> security.protocol=SASL_PLAINTEXT
> sasl.mechanism=PLAIN
> producer jaas.conf
> KafkaClient {
>   org.apache.kafka.common.security.plain.PlainLoginModule required
>   serviceName="kafka"
>     username="edo1"
>     password="edo1pwd";
> };



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message