Hi Rajini
The above configuration that you mentioned a while back helped me sort the
issue of listeners and I was also able to run Kafka 0.10.2.1 with SSL and
ACLs as well from one of your other posts.
I wanted to ask you if it is possible to run Kafka in a mixed security
mode? i.e. external producers who are on 172.x.x.x interface can use the
SSL to send/receive data from/to our Kafka brokers, but our internal
consumer can read/write on PLAINTEXT channel to Kafka.
Here is my server.properties, but my internal producer which does not have
any keystore and truststore is getting the following error:
*[2018-04-03 21:21:04,378] WARN Error while fetching metadata with
correlation id 1 : {Topic4006=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)*
*server.properties for our Kafka-1,2,3. They are identical except broker.id
<http://broker.id> and super.users properties.*
# ID and basic topic creation
broker.id=1
auto.create.topics.enable=true
delete.topic.enable=true
# LISTERN Settings
listeners=INTERNAL://1.1.1.165:9092,EXTERNAL://172.21.190.176:9093
advertised.listeners=INTERNAL://1.1.1.165:9092,EXTERNAL://
172.21.190.176:9093
listener.security.protocol.map=INTERNAL:PLAINTEXT,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
host.name=172.21.190.176
# Security Settings
ssl.keystore.location=keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=truststore.jks
ssl.truststore.password=password
ssl.keystore.type=JKS
ssl.truststore.type=JKS
security.protocol=SSL
ssl.client.auth=required
allow.everyone.if.no.acl.found=false
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:CN=Kafka1
Can you please point out if anything needs to be modified ?
Many thanks.
--Darshan
On Wed, May 31, 2017 at 11:31 AM, Rajini Sivaram <rajinisiva...@gmail.com>
wrote:
> If you want to use different interfaces with the same security protocol,
> you can specify listener names. You can then also configure different
> security properties for internal/external if you need.
>
> listeners=INTERNAL://1.x.x.x:9092,EXTERNAL://172.x.x.x:9093
>
> advertised.listeners=INTERNAL://1.x.x.x:9092,EXTERNAL://172.x.x.x:9093
>
> listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
>
> inter.broker.listener.name=INTERNAL
>
> On Wed, May 31, 2017 at 6:22 PM, Raghav <raghavas...@gmail.com> wrote:
>
> > Hello Darshan
> >
> > Have you tried SSL://0.0.0.0:9093 ?
> >
> > Rajani had suggested something similar to me a week back while I was
> > trying to get a ACL based setup.
> >
> > Thanks.
> >
> > On Wed, May 31, 2017 at 8:58 AM, Darshan <purandare.dars...@gmail.com>
> > wrote:
> >
> >> Hi
> >>
> >> Our Kafka broker has two IPs on two different interfaces.
> >>
> >> eth0 has 172.x.x.x for external leg
> >> eth1 has 1.x.x.x for internal leg
> >>
> >>
> >> Kafka Producer is on 172.x.x.x subnet, and Kafka Consumer is on 1.x.x.x
> >> subnet.
> >>
> >> If we use advertised.listeners=SSL://172.x.x.x:9093, then Producer can
> >> producer the message, but Consumer cannot receive the message.
> >>
> >> What value should we use for advertised.listeners so that Producer can
> >> write and Consumers can read ?
> >>
> >> Thanks.
> >>
> >
> >
> >
> > --
> > Raghav
> >
>
