Thanks Tom, I miss it.
I added authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer, and
grant user:alice to operation permission to cluster, but still failed when
publish message. The error message told LEADER_NOT_AVAILABLE.
$ bin/kafka-acls.sh --authorizer-properties
> zookeeper.connect=localhost:2181 --list
> Current ACLs for resource `Topic:test`:
> User:alice has Allow permission for operations: Write from hosts:
> 127.0.0.1
> User:alice has Deny permission for operations: Read from hosts: *
>
> Current ACLs for resource `Cluster:kafka-cluster`:
> User:alice has Allow permission for operations: All from hosts: *
>
> $ bin/kafka-console-producer.sh --broker-list localhost:9092
> --producer.config config/producer.properties --topic test
> job
> [2017-06-12 11:14:41,318] WARN Error while fetching metadata with
> correlation id 1 : {test=LEADER_NOT_AVAILABLE}
> (org.apache.kafka.clients.NetworkClient)
>
> $ bin/kafka-topics.sh --zookeeper localhost:2181 --topic test --describe
> Topic:test PartitionCount:1 ReplicationFactor:1 Configs:
> Topic: test Partition: 0 Leader: 0 Replicas: 0 Isr: 0
>
2017-06-12 16:43 GMT+08:00 Tom Bentley <[email protected]>:
> Hi,
>
> Did you set
>
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>
> as described here
> at
> http://docs.confluent.io/current/kafka/authorization.
> html#further-configuration
>
> HTH,
>
> Tom
>
> On 11 June 2017 at 04:40, linbo liao <[email protected]> wrote:
>
> > Hi,
> >
> > I try to set Kafka ACL for topic access permission followed by kafka
> > security document <http://kafka.apache.org/documentation/#security_authz
> >,
> > but looks deny acl doesn't work.
> >
> > *My Environment:*
> >
> > VM: Ubuntu 12.04 LTS x86_64
> > JAVA: openjdk version "1.8.0_111"
> > Kafka: kafka_2.12-0.10.2.1
> >
> > I setup one broker, and use kafka-console-consumer.sh and
> > kafka-console-producer.sh to test.
> >
> > *Broker setup:*
> >
> > broker startup script already add jaas parameter
> >
> > $ cat kafka_server_jaas.conf
> >
> > > KafkaServer {
> > > org.apache.kafka.common.security.plain.PlainLoginModule
> > > required
> > > username="admin"
> > > password="admin"
> > > user_admin="admin"
> > > user_alice="alice";
> > > };
> > >
> >
> > config/server.properties
> >
> > listeners=SASL_PLAINTEXT://0.0.0.0:9092
> > > security.inter.broker.protocol=SASL_PLAINTEXT
> > > sasl.mechanism.inter.broker.protocol=PLAIN
> > > sasl.enabled.mechanisms=PLAIN
> > >
> >
> >
> > *Client setup:*
> > producer/consumer startup script already add jaas parameter
> >
> > $ cat client_jaas.conf
> >
> > > KafkaClient {
> > > org.apache.kafka.common.security.plain.PlainLoginModule required
> > > username="alice"
> > > password="alice";
> > > };
> >
> >
> > config/consumer.properties & config/producer.properties
> >
> > > security.protocol=SASL_PLAINTEXT
> > > sasl.mechanism=PLAIN
> > >
> >
> >
> > 1. create topic
> >
> > $ bin/kafka-topics.sh --create --zookeeper localhost:2181
> > > --replication-factor 1 --partitions 1 --topic test
> > >
> >
> > 2. setup topic acl
> >
> > $ bin/kafka-acls.sh --authorizer-properties
> > > zookeeper.connect=localhost:2181 --list --topic test
> > > Current ACLs for resource `Topic:test`:
> > > User:alice has Allow permission for operations: Write from
> hosts:
> > > 127.0.0.1
> > > User:alice has Deny permission for operations: Read from
> hosts: *
> > >
> >
> > Although I deny Read permission for user alice from all host, I start
> > consumer still can receive message.
> >
> > produce a message "test"
> >
> > > $ bin/kafka-console-producer.sh --broker-list localhost:9092
> > > --producer.config config/producer.properties --topic test
> > > test
> > >
> >
> > consumer receive this message
> >
> > $ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic
> > > test --consumer.config config/consumer.properties --from-beginning
> > > [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect'
> was
> > > supplied but isn't a known config.
> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
> > > [2017-06-11 03:37:55,999] WARN The configuration '
> > > zookeeper.connection.timeout.ms' was supplied but isn't a known
> config.
> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
> > > test
> > >
> >
> > Why deny read operation doesn't work, do I miss something?
> >
> > Thanks,
> > Linbo
> >
>
