kafka-acls.sh --list failed when zookeeper SASL/PLAIN authentication is enabled

Wed, 26 Dec 2018 02:28:19 -0800 

I have a kakfa/zookeeper(embedded zookeeper) cluster with SASL/PLAIN + ACL
enabled.
It worked fine with version kafka_2.12-1.0.0. But recently, I need to
upgrade to kafka_2.12-2.1.0. Unfortunately, the ACL function cannot work
normally.

kafka-acls.sh command failed, for example:

> # echo $KAFKA_OPTS
>
> KAFKA_OPTS=-Djava.security.auth.login.config=/work/sasl/kafka_server_jaas.conf
>
#

# /kafka_2.12-2.1.0/bin/kafka-acls.sh --authorizer
> kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
> zookeeper.connect=zookeeper.example.com:2181 --list --topic test-topic



The error message from screen is:

> Error while executing ACL command: KeeperErrorCode = InvalidACL for
> /kafka-acl
> org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode
> = InvalidACL for /kafka-acl
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:121)
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:494)
> at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1416)
> at kafka.zk.KafkaZkClient.createAclPaths(KafkaZkClient.scala:931)
> at
> kafka.security.auth.SimpleAclAuthorizer.configure(SimpleAclAuthorizer.scala:96)
> at kafka.admin.AclCommand$.withAuthorizer(AclCommand.scala:78)
> at kafka.admin.AclCommand$.listAcl(AclCommand.scala:119)
> at kafka.admin.AclCommand$.main(AclCommand.scala:56)
> at kafka.admin.AclCommand.main(AclCommand.scala)
>

The zookeeper log is:

> zookeeper.example.com    | [2018-12-26 09:46:09,622] ERROR Missing
> AuthenticationProvider for sasl
> (org.apache.zookeeper.server.PrepRequestProcessor)
> zookeeper.example.com    | [2018-12-26 09:46:09,622] INFO Got user-level
> KeeperException when processing sessionid:0x167e9e2c60c0003 type:create
> cxid:0x3 zxid:0x10000008a txntype:-1 reqpath:n/a Error Path:/kafka-acl
> Error:KeeperErrorCode = InvalidACL for /kafka-acl
> (org.apache.zookeeper.server.PrepRequestProcessor)
> zookeeper.example.com    | [2018-12-26 09:46:09,704] INFO Processed
> session termination for sessionid: 0x167e9e2c60c0003
> (org.apache.zookeeper.server.PrepRequestProcessor)
>

The  kafka SASL configure file /work/sasl/kafka_server_jaas.conf content is:

> # cat /work/sasl/kafka_server_jaas.conf
> KafkaServer {
>     org.apache.kafka.common.security.plain.PlainLoginModule required
>     username="admin"
>     password="adminpwd"
>     user_admin="adminpwd"
>     user_alice="alicepwd";
> };
>
> KafkaClient {
>     org.apache.kafka.common.security.plain.PlainLoginModule required
>     username="alice"
>     password="alicepwd";
> };
>
> Client {
>     org.apache.kafka.common.security.plain.PlainLoginModule required
>     username="admin"
>     password="adminpwd";
> };
>

And zookeeper SASL configure file zookeeper_jaas.conf content is:

> # cat /work/sasl/zookeeper_jaas.conf
> Server {
>     org.apache.kafka.common.security.plain.PlainLoginModule required
>     username="admin"
>     password="adminpwd"
>     user_admin="adminpwd";
> };
>


Anybody can help this ? thanks.
Hui

Reply via email to