[
https://issues.apache.org/jira/browse/KAFKA-4997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shrikant updated KAFKA-4997:
----------------------------
Description:
Hi All,
We are using SASL for Authentication between Kafka and ZK. Followed -
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
We have 3 Kafka nodes, on each node, we have
principal="kafka/[email protected]. So
On first node in kafka_server_jaas.conf, principal is set to
principal="kafka/[email protected]"
On second node in kafka_server_jaas.conf, principal is set to
principal="kafka/[email protected]"
On third node in kafka_server_jaas.conf, principal is set to
principal="kafka/[email protected]"
When I run the kafka-acls.sh command from node 1, its successful. It all works,
but after that I cannot run kafka-acls.sh from the other 2 nodes. On the other
2 nodes it fails, with error
[2017-03-31 18:44:38,629] ERROR Conditional update of path
/kafka-acl/Topic/shri-topic with data
{"version":1,"acls":[{"principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
and expected version 0 failed due to
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth
for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)
When I look at zookeeper-shell.sh for the kafka-acl node, that node only has
permission for principal of first node. I believe this is the reason it fails
to run kafka-acls.sh from the other 2 nodes, even though those nodes have
valid key tabs.
getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/[email protected]
: cdrwa
Is it this bug ?? or am I doing something wrong here.
Thanks,
Shri
was:
Hi All,
We are using SASL for Authentication between Kafka and ZK. Followed -
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
We have 3 Kafka nodes, on each node, we have
principal="kafka/[email protected]. So
On first node in kafka_server_jaas.conf, principal is set to
principal="kafka/[email protected]"
On second node in kafka_server_jaas.conf, principal is set to
principal="kafka/[email protected]"
On third node in kafka_server_jaas.conf, principal is set to
principal="kafka/[email protected]"
When run the kafka-acls.sh command from node 1, its successful. It all works,
but after that I cannot run kafka-acls.sh from the other 2 nodes. On the other
2 nodes it fails, with error
[2017-03-31 18:44:38,629] ERROR Conditional update of path
/kafka-acl/Topic/shri-topic with data
{"version":1,"acls":[{"principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
and expected version 0 failed due to
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth
for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)
When I look at zookeeper-shell.sh for the kafka-acl node, that node only has
permission for principal of first node. I believe this is the reason it does
run run ACL, even though those nodes have valid keytabs.
getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/[email protected]
: cdrwa
Is it this bug ?? or am I doing something wrong here.
Thanks,
Shri
> Issue with running kafka-acls.sh when using SASL between Kafka and ZK
> ---------------------------------------------------------------------
>
> Key: KAFKA-4997
> URL: https://issues.apache.org/jira/browse/KAFKA-4997
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.1.1
> Environment: Redhat Enterprise Edition Linux,
> Reporter: Shrikant
> Priority: Critical
>
> Hi All,
> We are using SASL for Authentication between Kafka and ZK. Followed -
> https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
> We have 3 Kafka nodes, on each node, we have
> principal="kafka/[email protected]. So
> On first node in kafka_server_jaas.conf, principal is set to
> principal="kafka/[email protected]"
> On second node in kafka_server_jaas.conf, principal is set to
> principal="kafka/[email protected]"
> On third node in kafka_server_jaas.conf, principal is set to
> principal="kafka/[email protected]"
> When I run the kafka-acls.sh command from node 1, its successful. It all
> works, but after that I cannot run kafka-acls.sh from the other 2 nodes. On
> the other 2 nodes it fails, with error
> [2017-03-31 18:44:38,629] ERROR Conditional update of path
> /kafka-acl/Topic/shri-topic with data
> {"version":1,"acls":[{"principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
> and expected version 0 failed due to
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)
> When I look at zookeeper-shell.sh for the kafka-acl node, that node only has
> permission for principal of first node. I believe this is the reason it fails
> to run kafka-acls.sh from the other 2 nodes, even though those nodes have
> valid key tabs.
> getAcl /kafka-acl
> 'world,'anyone
> : r
> 'sasl,'kafka/[email protected]
> : cdrwa
> Is it this bug ?? or am I doing something wrong here.
> Thanks,
> Shri
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
