Hi Vahid,

    Thanks for your response. Below are more details:
1. I do not have JAAS file created. The set up I have on 3-node Kafka
cluster is 2-way SSL. Not using Plaintext or SASL as I do not have enabled
Kerberos or Sentry.
2. All 3 nodes server.properties files have:
authorizer.class.name...
listeners=SSL...
security.inter.broker.protocol=SSL

Do not have any sasl* properties in any file
3. Able to change ACLs on topics using authorizer cli and the issue is even
though ACLs exist, anyone was able to Produce/consumer Kafka messages.

Any thoughts on what could be the problem?

Best,
Sruthi Kumar


On Tue, Jul 11, 2017 at 10:45 PM, Vahid S Hashemian <
vahidhashem...@us.ibm.com> wrote:

> Hi SK,
>
> Could you please take a look at this document (
> https://developer.ibm.com/opentech/2017/05/31/kafka-acls-in-practice/) and
> confirm you performed the steps in Broker Setup on all brokers?
>
> Thanks.
> --Vahid
>
>
>
> From:   Sruthi Kumar Annamneedu <sruthikumar...@gmail.com>
> To:     users@kafka.apache.org
> Date:   07/11/2017 07:29 PM
> Subject:        Kafka authorizer ACLs question
>
>
>
> Hi,
>
> I am hoping someone from the community can help me clarify Kafka
> authorizer
> feature.
>
> *Question:* Do I have to set up any property other than '
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer' in
> server.properties file to activate ACLs using Kafka Authorizer?
>
> *Background:* We have 3-node Kafka cluster (Cloudera environment). N1, N2,
> and N3 for Kafka. On all 3 nodes, I have upated server properties file
> with
> authorizer.class.name and also with 'allow.everyone.if.no.acl.found=false'
> properties. Expectation is not to allow anyone to produce/consume message
> on a test topic as I have not set up ACLs on test topic yet.
>
> *Actual result:* I am able to produce/consumer messages just like setting
> up these two properties. Not exactly sure what I am missing.
>
> *Expected result:* Error message complaining about ACLs are blocking
> producing/consuming messages.
>
> Thank you in advance for your time.
>
> Best,
> SK
>
>
>
>
>

Reply via email to