Finally I figure it out, I miss add super user in config/server.properties.
Now everything works fine.
2017-06-12 19:19 GMT+08:00 linbo liao <llbg...@gmail.com>:
> Thanks Tom, I miss it.
>
> I added authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer,
> and grant user:alice to operation permission to cluster, but still failed
> when publish message. The error message told LEADER_NOT_AVAILABLE.
>
> $ bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181
>> --list
>> Current ACLs for resource `Topic:test`:
>> User:alice has Allow permission for operations: Write from hosts:
>> 127.0.0.1
>> User:alice has Deny permission for operations: Read from hosts: *
>>
>> Current ACLs for resource `Cluster:kafka-cluster`:
>> User:alice has Allow permission for operations: All from hosts: *
>>
>> $ bin/kafka-console-producer.sh --broker-list localhost:9092
>> --producer.config config/producer.properties --topic test
>> job
>> [2017-06-12 11:14:41,318] WARN Error while fetching metadata with
>> correlation id 1 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.
>> NetworkClient)
>>
>
>> $ bin/kafka-topics.sh --zookeeper localhost:2181 --topic test --describe
>> Topic:test PartitionCount:1 ReplicationFactor:1 Configs:
>> Topic: test Partition: 0 Leader: 0 Replicas: 0 Isr: 0
>>
>
>
>
> 2017-06-12 16:43 GMT+08:00 Tom Bentley <t.j.bent...@gmail.com>:
>
>> Hi,
>>
>> Did you set
>>
>> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>>
>> as described here
>> at
>> http://docs.confluent.io/current/kafka/authorization.html#
>> further-configuration
>>
>> HTH,
>>
>> Tom
>>
>> On 11 June 2017 at 04:40, linbo liao <llbg...@gmail.com> wrote:
>>
>> > Hi,
>> >
>> > I try to set Kafka ACL for topic access permission followed by kafka
>> > security document <http://kafka.apache.org/docum
>> entation/#security_authz>,
>> > but looks deny acl doesn't work.
>> >
>> > *My Environment:*
>> >
>> > VM: Ubuntu 12.04 LTS x86_64
>> > JAVA: openjdk version "1.8.0_111"
>> > Kafka: kafka_2.12-0.10.2.1
>> >
>> > I setup one broker, and use kafka-console-consumer.sh and
>> > kafka-console-producer.sh to test.
>> >
>> > *Broker setup:*
>> >
>> > broker startup script already add jaas parameter
>> >
>> > $ cat kafka_server_jaas.conf
>> >
>> > > KafkaServer {
>> > > org.apache.kafka.common.security.plain.PlainLoginModule
>> > > required
>> > > username="admin"
>> > > password="admin"
>> > > user_admin="admin"
>> > > user_alice="alice";
>> > > };
>> > >
>> >
>> > config/server.properties
>> >
>> > listeners=SASL_PLAINTEXT://0.0.0.0:9092
>> > > security.inter.broker.protocol=SASL_PLAINTEXT
>> > > sasl.mechanism.inter.broker.protocol=PLAIN
>> > > sasl.enabled.mechanisms=PLAIN
>> > >
>> >
>> >
>> > *Client setup:*
>> > producer/consumer startup script already add jaas parameter
>> >
>> > $ cat client_jaas.conf
>> >
>> > > KafkaClient {
>> > > org.apache.kafka.common.security.plain.PlainLoginModule required
>> > > username="alice"
>> > > password="alice";
>> > > };
>> >
>> >
>> > config/consumer.properties & config/producer.properties
>> >
>> > > security.protocol=SASL_PLAINTEXT
>> > > sasl.mechanism=PLAIN
>> > >
>> >
>> >
>> > 1. create topic
>> >
>> > $ bin/kafka-topics.sh --create --zookeeper localhost:2181
>> > > --replication-factor 1 --partitions 1 --topic test
>> > >
>> >
>> > 2. setup topic acl
>> >
>> > $ bin/kafka-acls.sh --authorizer-properties
>> > > zookeeper.connect=localhost:2181 --list --topic test
>> > > Current ACLs for resource `Topic:test`:
>> > > User:alice has Allow permission for operations: Write from
>> hosts:
>> > > 127.0.0.1
>> > > User:alice has Deny permission for operations: Read from
>> hosts: *
>> > >
>> >
>> > Although I deny Read permission for user alice from all host, I start
>> > consumer still can receive message.
>> >
>> > produce a message "test"
>> >
>> > > $ bin/kafka-console-producer.sh --broker-list localhost:9092
>> > > --producer.config config/producer.properties --topic test
>> > > test
>> > >
>> >
>> > consumer receive this message
>> >
>> > $ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092
>> --topic
>> > > test --consumer.config config/consumer.properties --from-beginning
>> > > [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect'
>> was
>> > > supplied but isn't a known config.
>> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
>> > > [2017-06-11 03:37:55,999] WARN The configuration '
>> > > zookeeper.connection.timeout.ms' was supplied but isn't a known
>> config.
>> > > (org.apache.kafka.clients.consumer.ConsumerConfig)
>> > > test
>> > >
>> >
>> > Why deny read operation doesn't work, do I miss something?
>> >
>> > Thanks,
>> > Linbo
>> >
>>
>
>
