stackoom
  简体   繁体   中英

Kafka producer/consuper Topic not authorized

 原文  2019-04-06 16:07:38       apache-kafka

Question

Whenever I try to connect to kafka to producer/consume I get "Not authorized for topics [test2]"

If I turn off the authorization I get authenticated successfully, so the authentication works and only the authorization doesn't.

ACL authorization with kafka.security.auth.SimpleAclAuthorizer not working.

config/server.properties 

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
listeners=SASL_PLAINTEXT://kafka3:9092
security.inter.broker.protocol= SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
delete.topic.enable=false

logs/kafka-authorizer 

[2019-04-06 13:24:05,693] DEBUG No acl found for resource Topic:LITERAL:test2, authorized = false (kafka.authorizer.logger) [2019-04-06 13:24:05,695] INFO Principal = User:alice is Denied Operation = Describe from host = 10.0.9.20 on resource = Topic:LITERAL:test2(kafka.authorizer.logger)uper.users=User:admin

server's jaas file: 

KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin"
    user_admin="admin"
    user_alice="alice";
};

bin/kafka-server-start.sh 

$base_dir/kafka-run-class.sh $EXTRA_ARGS -Djava.security.auth.login.config=$base_dir/../config/jaas-kafka-server.conf kafka.Kafka "$@"

acl output: 

Current ACLs for resource `Topic:LITERAL:test2`:
    User:alice has Allow permission for operations: Write from hosts: *

2 answers

solution1
 1  2019-04-06 20:31:15

User alice is currently only authorized to Write to that topic. You would also likely want to add the ACLs Describe and Read to be able to properly produce and consume to your existing topic.

The kafka-acls tool provides convenience options --consumer and --producer when adding ACLs to a topic. Otherwise, you can use --operation to add specific operations such as Describe . By adding Describe , you'd remove the log you're currently seeing in logs/kafka-authorizer .

solution2
 1  2019-04-06 21:04:05

As you would like consume and produce message from a particular topic with turning on ACL, then you need to apply ACL on the topic to consume and produce message to it. You need to do it through a super user like kafka.

Login to a kafka broker then use below command :

sudo su - kafka

kinit -kt /path/to/keytabs/kafka.service.keytab kafka/serviceprincipal name@domain name (you can get it from kafka jaas file)

Then from kafka directory execute these command :

bin/kafka-acls --add --allow-principal User:* --consumer --topic test2 --authorizer-properties zookeeper.connect=:2181 --group *

Similarly for producer to push message to topics :

bin/kafka-acls.sh --add --allow-principal User:* --producer --topic test2 --authorizer-properties zookeeper.connect=:2181

Above command will apply ACLs to all users . You can restrict it by specifying individual user name instead of '*' in the command.

** Remember you should not have any text file or any other file other than kafka installed file/directory in the bin directory as part of kafka installation.

To get more info on ACL(addind/removing,listing) go to below link:

https://docs.confluent.io/current/kafka/authorization.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kafka topic per producer How to secure kafka topic for producer? Apache Kafka Producer - Write to a Topic Eagerly connect to topic as a Kafka Producer Kafka Producer does not write to kafka topic pushing big files into Kafka topic through producer Kafka multiple producer writing to same topic? Python Kafka producer unable to write to topic stop access to a kafka topic from producer and consumer How to handle Not authorized to access topic … in Kafka Streams
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM