1) Can the ACLs be specified statically in a config file of sorts? Or is bin/kafka-acl.sh or a similar kafka client API the only way to specify the ACLs?
kafka-acls.sh executes simpleAClAuthorizer and the only way it accepts acls is via command-line params. 2) I notice that bin/kafka-acl.sh takes an argument to specify zookeeper, but doesn't seem to have a mechanism to specify any other authentication constructs. Does that mean anyone can point to my zookeeper instance and add/remove the ACLs? simpleAClAuthorizer uses zookeeper as ACL storage. Remember in kerberos secure mode we highly recommend to turn on zookeeper.set.acl . This will put "sasl:principal_name" acls on zookeeper nodes. Here principal_name is the broker's principal. So one has to login with that principal name to make changes to any of the zookeeper nodes. Only the users who has access to the broker's keytab can modify zookeeper nodes. 3) I'd like to use SSL certificates for Authentication and ACLs, but don't wont to use encryption over the wire because of latency concerns mentioned here: https://issues.apache.org/jira/browse/KAFKA-2561 Is that supported? Any instructions? openSSL is not supported yet. Also dropping the encryption in SSL channel is not possible yet. Any reason for not use kerberos for this since we support non-encrypted channel for kerberos. Thanks, harsha On Wed, Jun 8, 2016, at 02:06 PM, Samir Shah wrote: > Hello, > > Few questions on Kafka Security. > > 1) Can the ACLs be specified statically in a config file of sorts? Or is > bin/kafka-acl.sh or a similar kafka client API the only way to specify > the > ACLs? > > 2) I notice that bin/kafka-acl.sh takes an argument to specify zookeeper, > but doesn't seem to have a mechanism to specify any other authentication > constructs. Does that mean anyone can point to my zookeeper instance and > add/remove the ACLs? > > 3) I'd like to use SSL certificates for Authentication and ACLs, but > don't > wont to use encryption over the wire because of latency concerns > mentioned > here: https://issues.apache.org/jira/browse/KAFKA-2561 > Is that supported? Any instructions? > > Thanks in advance. > - Samir
