Re: Restrict access on kafka with multiple listener

2018-07-17 Thread Matt L 
Hi,

I have an existing Kafka Cluster that is configured as PLAINTEXT. We want
to enable SASL (GSSAPI) as an additional listener.

Is there a way to force specific topics to only accept traffic
(publish/consume) from a certain listener?

e.g. if i create a topic and set ACLS, how do i stop a client from using
the PLAINTEXT protocol and publishing and consuming to that topic

Thanks!

Restrict access on kafka with multiple listener

2018-07-18 Thread Matt L 
Hi,

I have an existing Kafka Cluster that is configured as PLAINTEXT. We want
to enable SASL (GSSAPI) as an additional listener.

Is there a way to force specific topics to only accept traffic (pub/con)
from a certain listener?

e.g. if i create a topic and set ACLS, how do i stop a client from using
the PLAINTEXT protocol and publishing and consuming to that topic

Thanks,

Kafka SASL (Kerberos) - UNKNOWN_TOPIC_OR_PARTITION

2018-08-20 Thread Matt L 
Hello,

Having trouble when publishing and consuming from a topic with
SASL_PLAINTEXT.

Both ZK and Kafka start successfully, in logs I see SASL_PLAINTEXT on 9093
as being available.

kafka.log:[2018-08-20 03:31:08,202] INFO Registered broker 1 at path
/brokers/ids/1 with addresses:
EndPoint(kafkabroker1,9092,ListenerName(SSL),SSL),EndPoint(kafkabroker1,9093,ListenerName(SASL_PLAINTEXT),SASL_PLAINTEXT)
(kafka.utils.ZkUtils:70)


When i try to publish, e.g.
  bin/kafka-console-producer --broker-list kafkabroker1:9093 \
  --topic testtopic1 --producer.config /tmp/sasl-producer.properties

I get:

[2018-08-20 08:37:35,075] WARN Error while fetching metadata with
correlation id 3 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
(org.apache.kafka.clients.NetworkClient)
[2018-08-20 08:37:35,176] WARN Error while fetching metadata with
correlation id 4 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
(org.apache.kafka.clients.NetworkClient)
[2018-08-20 08:37:35,277] WARN Error while fetching metadata with
correlation id 5 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
(org.apache.kafka.clients.NetworkClient)


What I've verified:
1) Client can resolve advertisted.listeners on all brokers. (prior to
enabling SASL, PLAINTEXT and SSL work with my set advertisted.listerners)
2) In my sasl-producer.properties, im authenticating with user Kafka. Kafka
has been set as super user and in kafka-authorizer.log, I see "

[2018-08-20 08:27:19,971] DEBUG principal = User:kafka is a super user,
allowing operation without checking acls. (kafka.authorizer.logger)
[2018-08-20 08:27:19,971] DEBUG Principal = User:kafka is Allowed Operation
= Describe from host = 10.10.52.1 on resource = Topic:testtopic1
(kafka.authorizer.logger)
[2018-08-20 08:27:20,072] DEBUG operation = Read on resource = Topic:
testtopic1 from host = 10.10.52.1 is Allow based on acl = User:kafka has
Allow permission for operations: All from hosts: * (kafka.authorizer.logger)

and from the kafka.log's in DEBUG:
[2018-08-20 09:35:48,364] DEBUG principal = User:kafka is a super user,
allowing operation without checking acls. (kafka.authorizer.logger:159)
[2018-08-20 09:35:48,364] DEBUG Principal = User:kafka is Allowed Operation
= Describe from host = 10.89.64.7 on resource = Topic:kerbtest1
(kafka.authorizer.logger:251)
[2018-08-20 09:35:48,364] DEBUG Completed
request:{api_key=3,api_version=4,correlation_id=186,client_id=console-producer}
-- {topics=[kerbtest1],allow_auto_topic_creation=true} from connection
10.10.52.1:9093-10.10.52.1:42752;totalTime:0.461000,requestQueueTime:0.033000,localTime:0.346000,remoteTime:0.00,throttleTime:0.033000,responseQueueTime:0.03,sendTime:0.066000,securityProtocol:SASL_PLAINTEXT,principal:User:kafka,listener:SASL_PLAINTEXT
(kafka.request.logger:193)


I'm assuming everything is okay from an ACL standpoint but when the client
cannot get the topic metadata from the returned advertisted listeners?
Any ideas on what I could be missing? Could this be something with ZK
setup/any authentication I am missing there?  I had even tried " skipACL=yes"
but that did not change anything.

Thanks!

Re: Kafka SASL (Kerberos) - UNKNOWN_TOPIC_OR_PARTITION

2018-08-20 Thread Matt L 
Thanks for the pointer Manikumar!

It looks like it was my interbroker communication, this was set to SSL so
inter broker users were coming in as ANONYMOUS. Once i changed this to
SASL_SSL I was able to publish/consume.

One remaining question i have is around
allow.everyone.if.no.acl.found=true. Despite setting this, I still see
"User:ANONYMOUS is Denied Operation= Describe" in authorizer log. Is there
something else that needs to be set to enable this? Or is "Describe" not
part of what this flag sets.

Thanks,
Matt

On Mon, Aug 20, 2018 at 5:03 AM, Manikumar 
wrote:

> is auto topic creation enabled on server? Any deny logs in
> kafka-authorizer.log?
> What is the inter-broker protocol configured? If it is SSL, SSL user should
> have ClusterAction permission.
>
> On Mon, Aug 20, 2018 at 3:33 PM Matt L  wrote:
>
> > Hello,
> >
> > Having trouble when publishing and consuming from a topic with
> > SASL_PLAINTEXT.
> >
> > Both ZK and Kafka start successfully, in logs I see SASL_PLAINTEXT on
> 9093
> > as being available.
> >
> > kafka.log:[2018-08-20 03:31:08,202] INFO Registered broker 1 at path
> > /brokers/ids/1 with addresses:
> >
> > EndPoint(kafkabroker1,9092,ListenerName(SSL),SSL),
> EndPoint(kafkabroker1,9093,ListenerName(SASL_PLAINTEXT),SASL_PLAINTEXT)
> > (kafka.utils.ZkUtils:70)
> >
> >
> > When i try to publish, e.g.
> >   bin/kafka-console-producer --broker-list kafkabroker1:9093 \
> >   --topic testtopic1 --producer.config /tmp/sasl-producer.properties
> >
> > I get:
> >
> > [2018-08-20 08:37:35,075] WARN Error while fetching metadata with
> > correlation id 3 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)
> > [2018-08-20 08:37:35,176] WARN Error while fetching metadata with
> > correlation id 4 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)
> > [2018-08-20 08:37:35,277] WARN Error while fetching metadata with
> > correlation id 5 : {testtopic1=UNKNOWN_TOPIC_OR_PARTITION}
> > (org.apache.kafka.clients.NetworkClient)
> >
> >
> > What I've verified:
> > 1) Client can resolve advertisted.listeners on all brokers. (prior to
> > enabling SASL, PLAINTEXT and SSL work with my set advertisted.listerners)
> > 2) In my sasl-producer.properties, im authenticating with user Kafka.
> Kafka
> > has been set as super user and in kafka-authorizer.log, I see "
> >
> > [2018-08-20 08:27:19,971] DEBUG principal = User:kafka is a super user,
> > allowing operation without checking acls. (kafka.authorizer.logger)
> > [2018-08-20 08:27:19,971] DEBUG Principal = User:kafka is Allowed
> Operation
> > = Describe from host = 10.10.52.1 on resource = Topic:testtopic1
> > (kafka.authorizer.logger)
> > [2018-08-20 08:27:20,072] DEBUG operation = Read on resource = Topic:
> > testtopic1 from host = 10.10.52.1 is Allow based on acl = User:kafka has
> > Allow permission for operations: All from hosts: *
> > (kafka.authorizer.logger)
> >
> > and from the kafka.log's in DEBUG:
> > [2018-08-20 09:35:48,364] DEBUG principal = User:kafka is a super user,
> > allowing operation without checking acls. (kafka.authorizer.logger:159)
> > [2018-08-20 09:35:48,364] DEBUG Principal = User:kafka is Allowed
> Operation
> > = Describe from host = 10.89.64.7 on resource = Topic:kerbtest1
> > (kafka.authorizer.logger:251)
> > [2018-08-20 09:35:48,364] DEBUG Completed
> >
> > request:{api_key=3,api_version=4,correlation_id=186,
> client_id=console-producer}
> > -- {topics=[kerbtest1],allow_auto_topic_creation=true} from connection
> > 10.10.52.1:9093-10.10.52.1
> > :42752;totalTime:0.461000,requestQueueTime:0.033000,
> localTime:0.346000,remoteTime:0.00,throttleTime:0.
> 033000,responseQueueTime:0.03,sendTime:0.066000,securityProtocol:SASL_
> PLAINTEXT,principal:User:kafka,listener:SASL_PLAINTEXT
> > (kafka.request.logger:193)
> >
> >
> > I'm assuming everything is okay from an ACL standpoint but when the
> client
> > cannot get the topic metadata from the returned advertisted listeners?
> > Any ideas on what I could be missing? Could this be something with ZK
> > setup/any authentication I am missing there?  I had even tried "
> > skipACL=yes"
> > but that did not change anything.
> >
> > Thanks!
> >
>