Re: Why authorization deny Read ACL doesn't work

2017-06-12 Thread linbo liao 
Finally I figure it out, I miss add super user in config/server.properties.
Now everything works fine.

2017-06-12 19:19 GMT+08:00 linbo liao :

> Thanks Tom, I miss it.
>
> I added authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer,
> and grant user:alice to operation permission to cluster, but still failed
> when publish message. The error message told LEADER_NOT_AVAILABLE.
>
> $ bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
>> --list
>> Current ACLs for resource `Topic:test`:
>> User:alice has Allow permission for operations: Write from hosts:
>> 127.0.0.1
>> User:alice has Deny permission for operations: Read from hosts: *
>>
>> Current ACLs for resource `Cluster:kafka-cluster`:
>> User:alice has Allow permission for operations: All from hosts: *
>>
>> $ bin/kafka-console-producer.sh --broker-list localhost:9092
>> --producer.config config/producer.properties --topic test
>> job
>> [2017-06-12 11:14:41,318] WARN Error while fetching metadata with
>> correlation id 1 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.
>> NetworkClient)
>>
>
>> $ bin/kafka-topics.sh --zookeeper localhost:2181 --topic test --describe
>> Topic:testPartitionCount:1ReplicationFactor:1Configs:
>> Topic: testPartition: 0Leader: 0Replicas: 0Isr: 0
>>
>
>
>
> 2017-06-12 16:43 GMT+08:00 Tom Bentley :
>
>> Hi,
>>
>> Did you set
>>
>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>>
>> as described here
>>  at
>> http://docs.confluent.io/current/kafka/authorization.html#
>> further-configuration
>>
>> HTH,
>>
>> Tom
>>
>> On 11 June 2017 at 04:40, linbo liao  wrote:
>>
>> > Hi,
>> >
>> > I try to set Kafka ACL for topic access permission followed by kafka
>> > security document > entation/#security_authz>,
>> > but looks deny acl doesn't work.
>> >
>> > *My Environment:*
>> >
>> > VM: Ubuntu 12.04 LTS x86_64
>> > JAVA:  openjdk version "1.8.0_111"
>> > Kafka:  kafka_2.12-0.10.2.1
>> >
>> > I setup one broker, and use kafka-console-consumer.sh and
>> > kafka-console-producer.sh to test.
>> >
>> > *Broker setup:*
>> >
>> > broker startup script already add jaas parameter
>> >
>> > $ cat kafka_server_jaas.conf
>> >
>> > > KafkaServer {
>> > > org.apache.kafka.common.security.plain.PlainLoginModule
>> > > required
>> > > username="admin"
>> > > password="admin"
>> > > user_admin="admin"
>> > > user_alice="alice";
>> > > };
>> > >
>> >
>> > config/server.properties
>> >
>> > listeners=SASL_PLAINTEXT://0.0.0.0:9092
>> > > security.inter.broker.protocol=SASL_PLAINTEXT
>> > > sasl.mechanism.inter.broker.protocol=PLAIN
>> > > sasl.enabled.mechanisms=PLAIN
>> > >
>> >
>> >
>> > *Client setup:*
>> > producer/consumer startup script already add jaas parameter
>> >
>> > $ cat client_jaas.conf
>> >
>> > > KafkaClient {
>> > > org.apache.kafka.common.security.plain.PlainLoginModule required
>> > > username="alice"
>> > > password="alice";
>> > > };
>> >
>> >
>> > config/consumer.properties & config/producer.properties
>> >
>> > > security.protocol=SASL_PLAINTEXT
>> > > sasl.mechanism=PLAIN
>> > >
>> >
>> >
>> > 1. create topic
>> >
>> > $ bin/kafka-topics.sh --create --zookeeper localhost:2181
>> > > --replication-factor 1 --partitions 1 --topic test
>> > >
>> >
>> > 2. setup topic acl
>> >
>> > $ bin/kafka-acls.sh --authorizer-properties
>> > > zookeeper.connect=localhost:2181 --list --topic test
>> > > Current ACLs for resource `Topic:test`:
>> > > User:alice has Allow permission for operations: Write from
>> hosts:
>> > > 127.0.0.1
>> > > User:alice has Deny permission for operations: Read from
>> hosts: *
>> > >
>> >
>> > Although I deny Read permission for user alice from all host, I start
>> > consumer still can receive message.
>> >
>> > produce a message "test"
>> >
>> > > $ bin/kafka-console-producer.sh --broker-list localhost:9092
>> > > --producer.config config/producer.properties --topic test
>> > > test
>> > >
>> >
>> > consumer receive this message
>> >
>> > $ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092
>> --topic
>> > > test --consumer.config config/consumer.properties --from-beginning
>> > > [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect'
>> was
>> > > supplied but isn't a known config.
>> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
>> > > [2017-06-11 03:37:55,999] WARN The configuration '
>> > > zookeeper.connection.timeout.ms' was supplied but isn't a known
>> config.
>> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
>> > > test
>> > >
>> >
>> > Why deny read operation doesn't work, do I miss something?
>> >
>> > Thanks,
>> > Linbo
>> >
>>
>
>

Re: Why authorization deny Read ACL doesn't work

2017-06-12 Thread linbo liao 
Thanks Tom, I miss it.

I added authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer, and
grant user:alice to operation permission to cluster, but still failed when
publish message. The error message told LEADER_NOT_AVAILABLE.

$ bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --list
> Current ACLs for resource `Topic:test`:
> User:alice has Allow permission for operations: Write from hosts:
> 127.0.0.1
> User:alice has Deny permission for operations: Read from hosts: *
>
> Current ACLs for resource `Cluster:kafka-cluster`:
> User:alice has Allow permission for operations: All from hosts: *
>
> $ bin/kafka-console-producer.sh --broker-list localhost:9092
> --producer.config config/producer.properties --topic test
> job
> [2017-06-12 11:14:41,318] WARN Error while fetching metadata with
> correlation id 1 : {test=LEADER_NOT_AVAILABLE}
> (org.apache.kafka.clients.NetworkClient)
>

> $ bin/kafka-topics.sh --zookeeper localhost:2181 --topic test --describe
> Topic:testPartitionCount:1ReplicationFactor:1Configs:
> Topic: testPartition: 0Leader: 0Replicas: 0Isr: 0
>



2017-06-12 16:43 GMT+08:00 Tom Bentley :

> Hi,
>
> Did you set
>
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>
> as described here
>  at
> http://docs.confluent.io/current/kafka/authorization.
> html#further-configuration
>
> HTH,
>
> Tom
>
> On 11 June 2017 at 04:40, linbo liao  wrote:
>
> > Hi,
> >
> > I try to set Kafka ACL for topic access permission followed by kafka
> > security document  >,
> > but looks deny acl doesn't work.
> >
> > *My Environment:*
> >
> > VM: Ubuntu 12.04 LTS x86_64
> > JAVA:  openjdk version "1.8.0_111"
> > Kafka:  kafka_2.12-0.10.2.1
> >
> > I setup one broker, and use kafka-console-consumer.sh and
> > kafka-console-producer.sh to test.
> >
> > *Broker setup:*
> >
> > broker startup script already add jaas parameter
> >
> > $ cat kafka_server_jaas.conf
> >
> > > KafkaServer {
> > > org.apache.kafka.common.security.plain.PlainLoginModule
> > > required
> > > username="admin"
> > > password="admin"
> > > user_admin="admin"
> > > user_alice="alice";
> > > };
> > >
> >
> > config/server.properties
> >
> > listeners=SASL_PLAINTEXT://0.0.0.0:9092
> > > security.inter.broker.protocol=SASL_PLAINTEXT
> > > sasl.mechanism.inter.broker.protocol=PLAIN
> > > sasl.enabled.mechanisms=PLAIN
> > >
> >
> >
> > *Client setup:*
> > producer/consumer startup script already add jaas parameter
> >
> > $ cat client_jaas.conf
> >
> > > KafkaClient {
> > > org.apache.kafka.common.security.plain.PlainLoginModule required
> > > username="alice"
> > > password="alice";
> > > };
> >
> >
> > config/consumer.properties & config/producer.properties
> >
> > > security.protocol=SASL_PLAINTEXT
> > > sasl.mechanism=PLAIN
> > >
> >
> >
> > 1. create topic
> >
> > $ bin/kafka-topics.sh --create --zookeeper localhost:2181
> > > --replication-factor 1 --partitions 1 --topic test
> > >
> >
> > 2. setup topic acl
> >
> > $ bin/kafka-acls.sh --authorizer-properties
> > > zookeeper.connect=localhost:2181 --list --topic test
> > > Current ACLs for resource `Topic:test`:
> > > User:alice has Allow permission for operations: Write from
> hosts:
> > > 127.0.0.1
> > > User:alice has Deny permission for operations: Read from
> hosts: *
> > >
> >
> > Although I deny Read permission for user alice from all host, I start
> > consumer still can receive message.
> >
> > produce a message "test"
> >
> > > $ bin/kafka-console-producer.sh --broker-list localhost:9092
> > > --producer.config config/producer.properties --topic test
> > > test
> > >
> >
> > consumer receive this message
> >
> > $ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic
> > > test --consumer.config config/consumer.properties --from-beginning
> > > [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect'
> was
> > > supplied but isn't a known config.
> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
> > > [2017-06-11 03:37:55,999] WARN The configuration '
> > > zookeeper.connection.timeout.ms' was supplied but isn't a known
> config.
> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
> > > test
> > >
> >
> > Why deny read operation doesn't work, do I miss something?
> >
> > Thanks,
> > Linbo
> >
>

Re: Why authorization deny Read ACL doesn't work

2017-06-12 Thread Tom Bentley 
Hi,

Did you set

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

as described here
 at
http://docs.confluent.io/current/kafka/authorization.html#further-configuration

HTH,

Tom

On 11 June 2017 at 04:40, linbo liao  wrote:

> Hi,
>
> I try to set Kafka ACL for topic access permission followed by kafka
> security document ,
> but looks deny acl doesn't work.
>
> *My Environment:*
>
> VM: Ubuntu 12.04 LTS x86_64
> JAVA:  openjdk version "1.8.0_111"
> Kafka:  kafka_2.12-0.10.2.1
>
> I setup one broker, and use kafka-console-consumer.sh and
> kafka-console-producer.sh to test.
>
> *Broker setup:*
>
> broker startup script already add jaas parameter
>
> $ cat kafka_server_jaas.conf
>
> > KafkaServer {
> > org.apache.kafka.common.security.plain.PlainLoginModule
> > required
> > username="admin"
> > password="admin"
> > user_admin="admin"
> > user_alice="alice";
> > };
> >
>
> config/server.properties
>
> listeners=SASL_PLAINTEXT://0.0.0.0:9092
> > security.inter.broker.protocol=SASL_PLAINTEXT
> > sasl.mechanism.inter.broker.protocol=PLAIN
> > sasl.enabled.mechanisms=PLAIN
> >
>
>
> *Client setup:*
> producer/consumer startup script already add jaas parameter
>
> $ cat client_jaas.conf
>
> > KafkaClient {
> > org.apache.kafka.common.security.plain.PlainLoginModule required
> > username="alice"
> > password="alice";
> > };
>
>
> config/consumer.properties & config/producer.properties
>
> > security.protocol=SASL_PLAINTEXT
> > sasl.mechanism=PLAIN
> >
>
>
> 1. create topic
>
> $ bin/kafka-topics.sh --create --zookeeper localhost:2181
> > --replication-factor 1 --partitions 1 --topic test
> >
>
> 2. setup topic acl
>
> $ bin/kafka-acls.sh --authorizer-properties
> > zookeeper.connect=localhost:2181 --list --topic test
> > Current ACLs for resource `Topic:test`:
> > User:alice has Allow permission for operations: Write from hosts:
> > 127.0.0.1
> > User:alice has Deny permission for operations: Read from hosts: *
> >
>
> Although I deny Read permission for user alice from all host, I start
> consumer still can receive message.
>
> produce a message "test"
>
> > $ bin/kafka-console-producer.sh --broker-list localhost:9092
> > --producer.config config/producer.properties --topic test
> > test
> >
>
> consumer receive this message
>
> $ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic
> > test --consumer.config config/consumer.properties --from-beginning
> > [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect' was
> > supplied but isn't a known config.
> > (org.apache.kafka.clients.consumer.ConsumerConfig)
> > [2017-06-11 03:37:55,999] WARN The configuration '
> > zookeeper.connection.timeout.ms' was supplied but isn't a known config.
> > (org.apache.kafka.clients.consumer.ConsumerConfig)
> > test
> >
>
> Why deny read operation doesn't work, do I miss something?
>
> Thanks,
> Linbo
>

Why authorization deny Read ACL doesn't work

2017-06-10 Thread linbo liao 
Hi,

I try to set Kafka ACL for topic access permission followed by kafka
security document ,
but looks deny acl doesn't work.

*My Environment:*

VM: Ubuntu 12.04 LTS x86_64
JAVA:  openjdk version "1.8.0_111"
Kafka:  kafka_2.12-0.10.2.1

I setup one broker, and use kafka-console-consumer.sh and
kafka-console-producer.sh to test.

*Broker setup:*

broker startup script already add jaas parameter

$ cat kafka_server_jaas.conf

> KafkaServer {
> org.apache.kafka.common.security.plain.PlainLoginModule
> required
> username="admin"
> password="admin"
> user_admin="admin"
> user_alice="alice";
> };
>

config/server.properties

listeners=SASL_PLAINTEXT://0.0.0.0:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.mechanism.inter.broker.protocol=PLAIN
> sasl.enabled.mechanisms=PLAIN
>


*Client setup:*
producer/consumer startup script already add jaas parameter

$ cat client_jaas.conf

> KafkaClient {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> username="alice"
> password="alice";
> };


config/consumer.properties & config/producer.properties

> security.protocol=SASL_PLAINTEXT
> sasl.mechanism=PLAIN
>


1. create topic

$ bin/kafka-topics.sh --create --zookeeper localhost:2181
> --replication-factor 1 --partitions 1 --topic test
>

2. setup topic acl

$ bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --list --topic test
> Current ACLs for resource `Topic:test`:
> User:alice has Allow permission for operations: Write from hosts:
> 127.0.0.1
> User:alice has Deny permission for operations: Read from hosts: *
>

Although I deny Read permission for user alice from all host, I start
consumer still can receive message.

produce a message "test"

> $ bin/kafka-console-producer.sh --broker-list localhost:9092
> --producer.config config/producer.properties --topic test
> test
>

consumer receive this message

$ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic
> test --consumer.config config/consumer.properties --from-beginning
> [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect' was
> supplied but isn't a known config.
> (org.apache.kafka.clients.consumer.ConsumerConfig)
> [2017-06-11 03:37:55,999] WARN The configuration '
> zookeeper.connection.timeout.ms' was supplied but isn't a known config.
> (org.apache.kafka.clients.consumer.ConsumerConfig)
> test
>

Why deny read operation doesn't work, do I miss something?

Thanks,
Linbo