I am exploring on the Security capabilities of Kafka 0.9.1 but unable to use it successfully.
I have set below configuration in my server.properties
allow.everyone.if.no.acl.found=false
super.users=User:root;User:kafka
I created an ACL using below command
./kafka-acls.sh --authorizer-properties zookeeper.connect=<zk_host:port> --add --allow-principal User:imit --allow-host <allowed_host> --topic imit --producer --consumer --group imit-consumer-group
and I see below response for it
Current ACLs for resource `Topic:imit`:
User:imit has Allow permission for operations: Describe from hosts: <allowed_host>
User:imit has Allow permission for operations: Read from hosts: <allowed_host>
User:imit has Allow permission for operations: Write from hosts: <allowed_host>
Note: Values mentioned in <> are replaced with some dummy values in the question and used correctly while creating the ACL
I have following observations:
Though I define the rule for imit topic to access for a particular using from a given host yet I can write to the topic from any host using any user account.
I am unable to read the messages from topic from any host or any user account (even using the one for which I have defined the rules).
I am running Kafka on RHEL 6.7 and all the users are local.
Am I missing any configuration parameters or commands to manage authorization, or is Kafka behaving in a weird way?
Also where can I getting authorization related logs in Kafka?
1 Answer 1
You are probably missing the below settings, in your Server.properties.
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
-- Adding this line would enable the ACL to work via SimpleAclAuthorizer. -- Kafka by default comes with the kafka.security.auth.SimpleAclAuthorizer defined by the parameter authorizer.class.name
you can try the below setup which might give complete idea.