kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jagadish Prasath Ramu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KAFKA-6112) SSL + ACL does not seem to work
Date Tue, 24 Oct 2017 13:22:00 GMT
Jagadish Prasath Ramu created KAFKA-6112:
--------------------------------------------

             Summary: SSL + ACL does not seem to work
                 Key: KAFKA-6112
                 URL: https://issues.apache.org/jira/browse/KAFKA-6112
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 0.11.0.0, 0.11.0.1
            Reporter: Jagadish Prasath Ramu


I'm trying to enable ACL for a cluster that has SSL based authentication setup.

Similar issue (or exceptions) has been reported in the following JIRA:
https://issues.apache.org/jira/browse/KAFKA-3687 (refer the last 2 exceptions that were posted
after the issue was closed).


error messages seen in Producer:

{noformat}



[2017-10-24 18:32:25,254] WARN Error while fetching metadata with correlation id 349 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2017-10-24 18:32:25,362] WARN Error while fetching metadata with correlation id 350 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2017-10-24 18:32:25,470] WARN Error while fetching metadata with correlation id 351 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2017-10-24 18:32:25,575] WARN Error while fetching metadata with correlation id 352 : {t1=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
{noformat}

security related kafka config.properties:

{noformat}
ssl.keystore.location=kafka.server.keystore.jks
ssl.keystore.password=abc123
ssl.key.password=abc123
ssl.truststore.location=kafka.server.truststore.jks
ssl.truststore.password=abc123

ssl.client.auth=required
ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS
security.inter.broker.protocol = SSL

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=false

super.users=User:Bob;User:"CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX"

listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093
{noformat}

client configuration file:
{noformat}
security.protocol=SSL
ssl.truststore.location=kafka.client.truststore.jks
ssl.truststore.password=abc123
ssl.keystore.location=kafka.client.keystore.jks
ssl.keystore.password=abc123
ssl.key.password=abc123
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.truststore.type=JKS
ssl.keystore.type=JKS
group.id=group-1
{noformat}

The debug messages of authorizer log does not show any "DENY" messages.

{noformat}
[2017-10-24 18:32:26,319] DEBUG operation = Create on resource = Cluster:kafka-cluster from
host = 127.0.0.1 is Allow based on acl = User:CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX
has Allow permission for operations: Create from hosts: 127.0.0.1 (kafka.authorizer.logger)
[2017-10-24 18:32:26,319] DEBUG Principal = User:CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX
is Allowed Operation = Create from host = 127.0.0.1 on resource = Cluster:kafka-cluster (kafka.authorizer.logger)
{noformat}



I have followed the scripts stated in the thread:
http://comments.gmane.org/gmane.comp.apache.kafka.user/12619






--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message