[jira] [Resolved] (KAFKA-4997) Issue with running kafka-acls.sh when using SASL between Kafka and ZK

2017-04-11 Thread Shrikant (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KAFKA-4997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shrikant resolved KAFKA-4997.
-
Resolution: Not A Problem

> Issue with running kafka-acls.sh when using SASL between Kafka and ZK
> -
>
> Key: KAFKA-4997
> URL: https://issues.apache.org/jira/browse/KAFKA-4997
> Project: Kafka
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.10.1.1
> Environment: Redhat Enterprise Edition Linux, 
>Reporter: Shrikant
>Priority: Critical
>
> Hi All, 
> We are using SASL for Authentication between Kafka and ZK. Followed - 
> https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
> We have 3 Kafka nodes, on each node, we have 
> principal="kafka/server_no.xxx@xxx.com. So 
> On first node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server1.xxx@xxx.com"
> On second node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server2.xxx@xxx.com"
> On third node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server3.xxx@xxx.com"
> When I run the kafka-acls.sh command from node 1, its successful. It all 
> works, but after that I cannot run kafka-acls.sh from the other 2 nodes. On 
> the other 2 nodes it fails, with error 
> [2017-03-31 18:44:38,629] ERROR Conditional update of path 
> /kafka-acl/Topic/shri-topic with data 
> {"version":1,"acls":[{"principal":"User:CN=xxx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
>  and expected version 0 failed due to 
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = 
> NoAuth for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)
> When I look at zookeeper-shell.sh for the kafka-acl node, that node only has 
> permission for principal of first node. I believe this is the reason it fails 
> to run  kafka-acls.sh from the other 2 nodes, even though those nodes have 
> valid key tabs.  
> getAcl /kafka-acl
> 'world,'anyone
> : r
> 'sasl,'kafka/server1.xxx@xxx.com
> : cdrwa
> Is it this bug ?? or am I doing something wrong here.   
> Thanks,
> Shri



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (KAFKA-4997) Issue with running kafka-acls.sh when using SASL between Kafka and ZK

2017-04-11 Thread Shrikant (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-4997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15965186#comment-15965186
 ] 

Shrikant commented on KAFKA-4997:
-

Rajini, Thanks for response. 

Figure out the issue, all the kafka node need to use the same principal name. 
We made this change it working now.

Thanks
Shri

> Issue with running kafka-acls.sh when using SASL between Kafka and ZK
> -
>
> Key: KAFKA-4997
> URL: https://issues.apache.org/jira/browse/KAFKA-4997
> Project: Kafka
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.10.1.1
> Environment: Redhat Enterprise Edition Linux, 
>Reporter: Shrikant
>Priority: Critical
>
> Hi All, 
> We are using SASL for Authentication between Kafka and ZK. Followed - 
> https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
> We have 3 Kafka nodes, on each node, we have 
> principal="kafka/server_no.xxx@xxx.com. So 
> On first node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server1.xxx@xxx.com"
> On second node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server2.xxx@xxx.com"
> On third node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server3.xxx@xxx.com"
> When I run the kafka-acls.sh command from node 1, its successful. It all 
> works, but after that I cannot run kafka-acls.sh from the other 2 nodes. On 
> the other 2 nodes it fails, with error 
> [2017-03-31 18:44:38,629] ERROR Conditional update of path 
> /kafka-acl/Topic/shri-topic with data 
> {"version":1,"acls":[{"principal":"User:CN=xxx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
>  and expected version 0 failed due to 
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = 
> NoAuth for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)
> When I look at zookeeper-shell.sh for the kafka-acl node, that node only has 
> permission for principal of first node. I believe this is the reason it fails 
> to run  kafka-acls.sh from the other 2 nodes, even though those nodes have 
> valid key tabs.  
> getAcl /kafka-acl
> 'world,'anyone
> : r
> 'sasl,'kafka/server1.xxx@xxx.com
> : cdrwa
> Is it this bug ?? or am I doing something wrong here.   
> Thanks,
> Shri



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (KAFKA-4997) Issue with running kafka-acls.sh when using SASL between Kafka and ZK

2017-03-31 Thread Shrikant (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KAFKA-4997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shrikant updated KAFKA-4997:

Description: 
Hi All, 

We are using SASL for Authentication between Kafka and ZK. Followed - 
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We have 3 Kafka nodes, on each node, we have 
principal="kafka/server_no.xxx@xxx.com. So 

On first node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server1.xxx@xxx.com"
On second node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server2.xxx@xxx.com"
On third node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server3.xxx@xxx.com"

When I run the kafka-acls.sh command from node 1, its successful. It all works, 
but after that I cannot run kafka-acls.sh from the other 2 nodes. On the other 
2 nodes it fails, with error 

[2017-03-31 18:44:38,629] ERROR Conditional update of path 
/kafka-acl/Topic/shri-topic with data 
{"version":1,"acls":[{"principal":"User:CN=xxx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
 and expected version 0 failed due to 
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth 
for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)

When I look at zookeeper-shell.sh for the kafka-acl node, that node only has 
permission for principal of first node. I believe this is the reason it fails 
to run  kafka-acls.sh from the other 2 nodes, even though those nodes have 
valid key tabs.  

getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/server1.xxx@xxx.com
: cdrwa

Is it this bug ?? or am I doing something wrong here.   

Thanks,
Shri



  was:
Hi All, 

We are using SASL for Authentication between Kafka and ZK. Followed - 
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We have 3 Kafka nodes, on each node, we have 
principal="kafka/server_no.xxx@xxx.com. So 

On first node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server1.xxx@xxx.com"
On second node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server2.xxx@xxx.com"
On third node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server3.xxx@xxx.com"

When run the kafka-acls.sh command from node 1, its successful. It all works, 
but after that I cannot run kafka-acls.sh from the other 2 nodes. On the other 
2 nodes it fails, with error 

[2017-03-31 18:44:38,629] ERROR Conditional update of path 
/kafka-acl/Topic/shri-topic with data 
{"version":1,"acls":[{"principal":"User:CN=xxx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
 and expected version 0 failed due to 
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth 
for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)

When I look at zookeeper-shell.sh for the kafka-acl node, that node only has 
permission for principal of first node. I believe this is the reason it does 
run run ACL, even though those nodes have valid keytabs.  

getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/server1.xxx@xxx.com
: cdrwa

Is it this bug ?? or am I doing something wrong here.   

Thanks,
Shri




> Issue with running kafka-acls.sh when using SASL between Kafka and ZK
> -
>
> Key: KAFKA-4997
> URL: https://issues.apache.org/jira/browse/KAFKA-4997
> Project: Kafka
>  Issue Type: Bug
>  Components: security
>Affects Versions: 0.10.1.1
> Environment: Redhat Enterprise Edition Linux, 
>Reporter: Shrikant
>Priority: Critical
>
> Hi All, 
> We are using SASL for Authentication between Kafka and ZK. Followed - 
> https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
> We have 3 Kafka nodes, on each node, we have 
> principal="kafka/server_no.xxx@xxx.com. So 
> On first node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server1.xxx@xxx.com"
> On second node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server2.xxx@xxx.com"
> On third node in kafka_server_jaas.conf, principal is set to 
> principal="kafka/server3.xxx@xxx.com"
> When I run the kafka-acls.sh command from node 1, its successful. It all 
> works, but after that I cannot run kafka-acls.sh from the other 2 nodes. On 
> the other 2 nodes it fails, with error 
> [2017-03-31 18:44:38,629] ERROR Conditional update of path 
> /kafk

[jira] [Created] (KAFKA-4997) Issue with running kafka-acls.sh when using SASL between Kafka and ZK

2017-03-31 Thread Shrikant (JIRA) 
Shrikant created KAFKA-4997:
---

 Summary: Issue with running kafka-acls.sh when using SASL between 
Kafka and ZK
 Key: KAFKA-4997
 URL: https://issues.apache.org/jira/browse/KAFKA-4997
 Project: Kafka
  Issue Type: Bug
  Components: security
Affects Versions: 0.10.1.1
 Environment: Redhat Enterprise Edition Linux, 
Reporter: Shrikant
Priority: Critical


Hi All, 

We are using SASL for Authentication between Kafka and ZK. Followed - 
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We have 3 Kafka nodes, on each node, we have 
principal="kafka/server_no.xxx@xxx.com. So 

On first node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server1.xxx@xxx.com"
On second node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server2.xxx@xxx.com"
On third node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server3.xxx@xxx.com"

When run the kafka-acls.sh command from node 1, its successful. It all works, 
but after that I cannot run kafka-acls.sh from the other 2 nodes. On the other 
2 nodes it fails, with error 

[2017-03-31 18:44:38,629] ERROR Conditional update of path 
/kafka-acl/Topic/shri-topic with data 
{"version":1,"acls":[{"principal":"User:CN=xxx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=xx,OU=,O=,L=x,ST=xx,C=xx","permissionType":"Allow","operation":"Write","host":"*"}]}
 and expected version 0 failed due to 
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth 
for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)

When I look at zookeeper-shell.sh for the kafka-acl node, that node only has 
permission for principal of first node. I believe this is the reason it does 
run run ACL, even though those nodes have valid keytabs.  

getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/server1.xxx@xxx.com
: cdrwa

Is it this bug ?? or am I doing something wrong here.   

Thanks,
Shri





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)