Kafka ACL \ SASL issue.

Fri, 31 Mar 2017 17:21:13 -0700 

Hi All,

We using SASL for Authentication between Kafka and ZK. Followed - 
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We have 3 Kafka node, on each node, we have 
principal="kafka/server_no.xxx....@xxx.com. So

On first node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server1.xxx....@xxx.com"
On second node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server2.xxx....@xxx.com"
On third node in kafka_server_jaas.conf, principal is set to 
principal="kafka/server3.xxx....@xxx.com"

When runt the ACL command from node 1, it successful. It all works, but I 
cannot run ACL from other 2 nodes. On other 2 nodes it fails, with error

[2017-03-31 18:44:38,629] ERROR Conditional update of path 
/kafka-acl/Topic/shri-topic with data 
{"version":1,"acls":[{"principal":"User:CN=xxxxxxx,OU=xxxx,O=xxxx,L=xxxxx,ST=xx,C=xx","permissionType":"Allow","operation":"Describe","host":"*"},{"principal":"User:CN=spatel-lt,OU=arch,O=pdx
 inc,L=fort 
worth,ST=tx,C=us","permissionType":"Allow","operation":"Write","host":"*"}]} 
and expected version 0 failed due to 
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth 
for /kafka-acl/Topic/shri-topic (kafka.utils.ZkUtils)

When I look at ZK kafka-acl node, it only permission for first node, I 
understand the reason it does other to run ACL, even though they valid keytab.

getAcl /kafka-acl
'world,'anyone
: r
'sasl,'kafka/server1.xxx....@xxx.com
: cdrwa

It this bug or am I doing something wrong here.

Thanks,
Shri

This e-mail and its contents (to include attachments) are the property of 
National Health Systems, Inc., its subsidiaries and affiliates, including but 
not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, 
and may contain confidential and proprietary or privileged information. If you 
are not the intended recipient of this e-mail, you are hereby notified that any 
unauthorized disclosure, copying, or distribution of this e-mail or of its 
attachments, or the taking of any unauthorized action based on information 
contained herein is strictly prohibited. Unauthorized use of information 
contained herein may subject you to civil and criminal prosecution and 
penalties. If you are not the intended recipient, please immediately notify the 
sender by telephone at 800-433-5719 or return e-mail and permanently delete the 
original e-mail.

Reply via email to