If you are using auto-create of topics, you also need to grant Create
access to kaka-cluster.
On Mon, May 22, 2017 at 9:51 AM, Raghav <raghavas...@gmail.com> wrote:
> Hi Rajini
>
> I tried again with IP addresses this time, and I get the following error
> log for the given ACLS. Is there something wrong in the way I am giving
> user name ?
>
> *List of ACL*
>
> [root@kafka-dev1 KAFKA]# bin/kafka-acls --authorizer-properties
> zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka2
> --allow-host 10.10.0.23 --operation Read --operation Write --topic
> kafka-testtopic
> Adding ACLs for resource `Topic:kafka-testtopic`:
> User:CN=kafka2 has Allow permission for operations: Read from
> hosts: 10.10.0.23
> User:CN=kafka2 has Allow permission for operations: Write from
> hosts: 10.10.0.23
> [root@kafka-dev1 KAFKA]#
>
> *Authorizer LOGS*
>
> [2017-05-22 06:45:44,520] DEBUG No acl found for resource
> Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger)
> [2017-05-22 06:45:44,520] DEBUG Principal = User:CN=kafka2 is Denied
> Operation = Create from host = 10.10.0.23 on resource =
> Cluster:kafka-cluster (kafka.authorizer.logger)
>
> On Mon, May 22, 2017 at 6:34 AM, Rajini Sivaram <rajinisiva...@gmail.com>
> wrote:
>
> > Raghav,
> >
> > I don't believe we do reverse DNS lookup for matching ACL hosts. Have you
> > tried defining ACLs with host IP address?
> >
> > On Mon, May 22, 2017 at 9:19 AM, Raghav <raghavas...@gmail.com> wrote:
> >
> > > Hi
> > >
> > > I enabled the DEBUG logs on Kafka authorizer, and I see the following
> > logs
> > > for the given ACLs. Am I missing something in my config here ? Any help
> > is
> > > greatly appreciated. Thanks.
> > >
> > >
> > > *List of ACL*
> > >
> > > [root@kafka1 KAFKA]# bin/kafka-acls.sh --authorizer-properties
> > > zookeeper.connect=localhost:2181 --list --topic kafka-testtopic
> > > Current ACLs for resource `Topic:kafka-testtopic`:
> > > User:* has Allow permission for operations: Read from hosts:
> bin
> > > User:CN=kafka2 has Allow permission for operations: Write from
> > > hosts: kafka2.example.com
> > > User:CN=kafka2 has Allow permission for operations: Read from
> > > hosts: kafka2.example.com
> > > [root@kafka1 KAFKA]#
> > >
> > >
> > > *Authorizer LOGS*
> > >
> > > [2017-05-22 06:10:16,635] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > [2017-05-22 06:10:16,736] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > [2017-05-22 06:10:16,839] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > > [2017-05-22 06:10:16,942] DEBUG Principal = User:CN=kafka2 is Denied
> > > Operation = Describe from host = 10.10.0.23 on resource =
> > > Topic:kafka-testtopic (kafka.authorizer.logger)
> > >
> > >
> > > Thanks.
> > >
> > >
> > > On Sun, May 21, 2017 at 10:52 PM, Raghav <raghavas...@gmail.com>
> wrote:
> > >
> > > > I tried all possible ways (including the way you suggested Michael),
> > but
> > > I
> > > > still get the same error.
> > > >
> > > > Is there a step by step guide to get ACLs working in Kafka with SSL ?
> > > >
> > > > Thanks.
> > > >
> > > > On Fri, May 19, 2017 at 11:40 AM, Michael Rauter <
> > mrau...@anexia-it.com>
> > > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> with SSL client authentication the user identifier is the dname of
> the
> > > >> certificate
> > > >>
> > > >> in your case “CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US”
> > > >>
> > > >> for example when you want to set an ACL rule (read and write for
> topic
> > > >> TOPICNAME from every host):
> > > >>
> > > >> $ kafka-acls --authorizer-properties zookeeper.connect=zookeeper:
> 2181
> > > >> --add --allow-principal User:CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US
> > > >> --allow-host "*" --operation Read --operation Write --topic
> TOPICNAME
> > > >>
> > > >>
> > > >> Am 19.05.17, 20:02 schrieb "Raghav" <raghavas...@gmail.com>:
> > > >>
> > > >> If it helps, this is how I generated the keystone for my client
> > > >>
> > > >> $ keytool -alias kafka-dev2 -validity 365 -keystore
> > > >> kafka-dev2.keystore.jks
> > > >> -dname "CN=Bob,O=FB,OU=MA,L=MP,ST=CA,C=US" -genkey -ext
> SAN=DNS:
> > > >> kafka-dev2.example.com -storepass 123456
> > > >>
> > > >> Anything wrong here ?
> > > >>
> > > >> On Fri, May 19, 2017 at 10:32 AM, Raghav <raghavas...@gmail.com
> >
> > > >> wrote:
> > > >>
> > > >> > Hi
> > > >> >
> > > >> > I have a SSL setup with Kafka Broker, Producer and Consumer,
> and
> > > it
> > > >> works
> > > >> > fine. I tried to setup ACLs as given on the website. When I
> > start
> > > my
> > > >> > producer, I am getting this error:
> > > >> >
> > > >> >
> > > >> > [root@kafka-dev2 KAFKA]# bin/kafka-console-producer
> > --broker-list
> > > >> > kafka-dev1.example.com:9093 --topic test --producer.config
> > > >> > ./etc/kafka/producer.properties
> > > >> >
> > > >> > HelloWorld
> > > >> >
> > > >> > [2017-05-19 10:24:42,437] WARN Error while fetching metadata
> > with
> > > >> > correlation id 1 : {test=UNKNOWN_TOPIC_OR_PARTITION}
> > > >> > (org.apache.kafka.clients.NetworkClient)
> > > >> > [root@kafka-dev2 KAFKA]#
> > > >> >
> > > >> >
> > > >> > server config has the following entries
> > > >> > ------------------------------------
> > > >> > authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> > > >> > super.users=User:Bob
> > > >> > ------------------------------------
> > > >> >
> > > >> > When certificate was being generated for Producer (Bob was
> used
> > in
> > > >> the
> > > >> > CNAME.)
> > > >> >
> > > >> >
> > > >> > Am I missing something here ? Please help
> > > >> >
> > > >> > Thanks.
> > > >> >
> > > >> > Raghav
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Raghav
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > > --
> > > > Raghav
> > > >
> > >
> > >
> > >
> > > --
> > > Raghav
> > >
> >
>
>
>
> --
> Raghav
>
