Why authorization deny Read ACL doesn't work

Sat, 10 Jun 2017 20:41:02 -0700 

Hi,

I try to set Kafka ACL for topic access permission followed by kafka
security document <http://kafka.apache.org/documentation/#security_authz>,
but looks deny acl doesn't work.

*My Environment:*

VM: Ubuntu 12.04 LTS x86_64
JAVA:  openjdk version "1.8.0_111"
Kafka:  kafka_2.12-0.10.2.1

I setup one broker, and use kafka-console-consumer.sh and
kafka-console-producer.sh to test.

*Broker setup:*

broker startup script already add jaas parameter

$ cat kafka_server_jaas.conf

> KafkaServer {
>             org.apache.kafka.common.security.plain.PlainLoginModule
> required
>             username="admin"
>             password="admin"
>             user_admin="admin"
>             user_alice="alice";
>         };
>

config/server.properties

listeners=SASL_PLAINTEXT://0.0.0.0:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.mechanism.inter.broker.protocol=PLAIN
> sasl.enabled.mechanisms=PLAIN
>


*Client setup:*
producer/consumer startup script already add jaas parameter

$ cat client_jaas.conf

> KafkaClient {
>     org.apache.kafka.common.security.plain.PlainLoginModule required
>     username="alice"
>     password="alice";
> };


config/consumer.properties & config/producer.properties

> security.protocol=SASL_PLAINTEXT
> sasl.mechanism=PLAIN
>


1. create topic

$ bin/kafka-topics.sh --create --zookeeper localhost:2181
> --replication-factor 1 --partitions 1 --topic test
>

2. setup topic acl

$ bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --list --topic test
> Current ACLs for resource `Topic:test`:
>         User:alice has Allow permission for operations: Write from hosts:
> 127.0.0.1
>         User:alice has Deny permission for operations: Read from hosts: *
>

Although I deny Read permission for user alice from all host, I start
consumer still can receive message.

produce a message "test"

> $ bin/kafka-console-producer.sh --broker-list localhost:9092
> --producer.config config/producer.properties --topic test
> test
>

consumer receive this message

$ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic
> test --consumer.config config/consumer.properties --from-beginning
> [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect' was
> supplied but isn't a known config.
> (org.apache.kafka.clients.consumer.ConsumerConfig)
> [2017-06-11 03:37:55,999] WARN The configuration '
> zookeeper.connection.timeout.ms' was supplied but isn't a known config.
> (org.apache.kafka.clients.consumer.ConsumerConfig)
> test
>

Why deny read operation doesn't work, do I miss something?

Thanks,
Linbo

Reply via email to