[jira] [Created] (KAFKA-3687) Internal Authorization Failure at startup with ACLs and security.inter.broker.protocol=PLAIN

Tue, 10 May 2016 09:47:34 -0700 

Edoardo Comar created KAFKA-3687:
------------------------------------

             Summary: Internal Authorization Failure at startup with ACLs and 
security.inter.broker.protocol=PLAIN
                 Key: KAFKA-3687
                 URL: https://issues.apache.org/jira/browse/KAFKA-3687
             Project: Kafka
          Issue Type: Bug
    Affects Versions: 0.10.0.0
            Reporter: Edoardo Comar


The root cause is this failure in the authorizer.log at server startup:

[] DEBUG Principal = User:ANONYMOUS is Denied Operation = ClusterAction from 
host = 192.168.10.22 on resource = Cluster:kafka-cluster 
(kafka.authorizer.logger)

and has the *consequence that it's impossible to authorize a producer*.

Steps to reproduce :

[~mimaison] and I  launched a single broker and a console producer,
using the SASL_PLAIN authentication between producer and broker.

Created a topic "testtopic".

The broker is configured with the SimpleAclAuthorizer
and the ACL created for the producer is  :

./kafkacls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add 
--allow-principal User:edo1  --producer --topic testtopic

which results in :
Current ACLs for resource `Topic:testtopic`: 
        User:edo1 has Allow permission for operations: Write from hosts: *
        User:edo1 has Allow permission for operations: Describe from hosts: * 

Current ACLs for resource `Cluster:kafka-cluster`: 
        User:edo1 has Allow permission for operations: Create from hosts: * 


However running the producer, we got:
[] WARN Error while fetching metadata with correlation id 0 : 
{testtopic=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)

Looking at the code, the UpdateMedataRequest that the single broker sends to 
itself on startup, 
which come through as a request with User:ANONYMOUS get denied by the 
Authoriser 
(in KafkaApis.handleUpdateMetadataRequest)
and the MetadataCache is never updated.

When the first producer requests come through, in 
KafkaApis.handleTopicMetadataRequest
the MetadataCache is empty and so we get UNKNOWN_TOPIC_OR_PARTITION.


================================
configuration used:

server.properties:
listeners=PLAINTEXT://:9092,SASL_PLAINTEXT://:9093
sasl.enabled.mechanisms=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

producer.properties
bootstrap.servers=localhost:9093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN

producer jaas.conf
KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  serviceName="kafka"
    username="edo1"
    password="edo1pwd";
};




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to