kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manikumar (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (KAFKA-6972) Kafka ACL does not work expected with wildcard
Date Tue, 05 Jun 2018 10:54:00 GMT

     [ https://issues.apache.org/jira/browse/KAFKA-6972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Manikumar resolved KAFKA-6972.
------------------------------
    Resolution: Information Provided

> Kafka ACL does not work expected with wildcard
> ----------------------------------------------
>
>                 Key: KAFKA-6972
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6972
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.11.0.0
>         Environment: OS : CentOS 7, 64bit.
> Confluent : 3.3, Kafka 0.11.
>            Reporter: Soyee Deng
>            Assignee: Sönke Liebau
>            Priority: Major
>
> Just started with Confluent 3.3 platform and Kafka 0.11 having SSL as transportation
security and Kerberos to restrict the access control based on the holding principals. In order
to make life easier, wildcard is extensively used in my environment. But it turned out that
is not working as expected. 
> My issue is that when I run the command _kafka-acls_ under one directory with some files,
this command would pick up the name of first file as the topic name or group name. e.g. In
my case, abcd.txt would be chosen while giving my principal connect-consumer the permissions
of consuming message from any topic with any group Id.
> [quality@data-pipeline-1 test_dir]$ KAFKA_OPTS=-Djava.security.auth.login.config='/etc/security/jaas/broker-jaas.conf'
kafka-acls --authorizer-properties zookeeper.connect=data-pipeline-1.orion.com:2181 --add
--allow-principal User:connect-consumer --consumer --topic * --group *
>  Adding ACLs for resource `Topic:abcd.txt`:
>  User:connect-consumer has Allow permission for operations: Describe from hosts: *
>  User:connect-consumer has Allow permission for operations: Read from hosts: *
> Adding ACLs for resource `Group:abcd.txt`:
>  User:connect-consumer has Allow permission for operations: Read from hosts: *
> Current ACLs for resource `Topic:abcd.txt`:
>  User:connect-consumer has Allow permission for operations: Describe from hosts: *
>  User:connect-consumer has Allow permission for operations: Read from hosts: *
>  User:connect-consumer has Allow permission for operations: Write from hosts: *
> Current ACLs for resource `Group:abcd.txt`:
>  User:connect-consumer has Allow permission for operations: Read from hosts: *
>  
> My current work around solution is changing command context to an empty directory and
run above command, it works as expected. 
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message