[
https://issues.apache.org/jira/browse/KAFKA-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15755625#comment-15755625
]
Raghu Baddam edited comment on KAFKA-3687 at 12/16/16 11:11 PM:
----------------------------------------------------------------
[~rsivaram]: I am about to send an email to you :), your suggestion is really
helpful.
{code}
[2016-12-16 21:55:36,720] DEBUG Principal =
User:CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown is
Allowed Operation = Create from host = 172.28.89.63 on resource =
Cluster:kafka-cluster (kafka.authorizer.logger)
{code}
Finally I am getting the user as exactly what I set in my SSL-Cert (Not
Anonymous).
But, I am getting another Error i.e
{code}
[2016-12-16 13:55:36,449] WARN Error while fetching metadata with correlation
id 45 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2016-12-16 13:55:36,609] WARN Error while fetching metadata with correlation
id 46 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2016-12-16 13:55:36,766] WARN Error while fetching metadata with correlation
id 47 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
{code}
I created the topic and my kafka node is working without any issues (I
restarted several time)
[raghu@Kafka-238343-1-33109167 kafka_2.11-0.10.1.0]$ bin/kafka-topics.sh
--describe --zookeeper localhost:2181 --topic my-ssl-topic
{code}
Topic:my-ssl-topic PartitionCount:1 ReplicationFactor:1 Configs:
Topic: my-ssl-topic Partition: 0 Leader: 0 Replicas: 0
Isr: 0
{code}
was (Author: [email protected]):
[~rsivaram]: I am about to send a mail to you :), your suggestion is really
helpful.
{code}
[2016-12-16 21:55:36,720] DEBUG Principal =
User:CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown is
Allowed Operation = Create from host = 172.28.89.63 on resource =
Cluster:kafka-cluster (kafka.authorizer.logger)
{code}
Finally I am getting the user as exactly what I set in my SSL-Cert (Not
Anonymous).
But, I am getting another Error i.e
{code}
[2016-12-16 13:55:36,449] WARN Error while fetching metadata with correlation
id 45 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2016-12-16 13:55:36,609] WARN Error while fetching metadata with correlation
id 46 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
[2016-12-16 13:55:36,766] WARN Error while fetching metadata with correlation
id 47 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
(org.apache.kafka.clients.NetworkClient)
{code}
I created the topic and my kafka node is working without any issues (I
restarted several time)
[raghu@Kafka-238343-1-33109167 kafka_2.11-0.10.1.0]$ bin/kafka-topics.sh
--describe --zookeeper localhost:2181 --topic my-ssl-topic
{code}
Topic:my-ssl-topic PartitionCount:1 ReplicationFactor:1 Configs:
Topic: my-ssl-topic Partition: 0 Leader: 0 Replicas: 0
Isr: 0
{code}
> Internal Authorization Failure at startup with ACLs and
> security.inter.broker.protocol=PLAINTEXT
> ------------------------------------------------------------------------------------------------
>
> Key: KAFKA-3687
> URL: https://issues.apache.org/jira/browse/KAFKA-3687
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 0.10.0.0
> Reporter: Edoardo Comar
>
> The root cause is this failure in the authorizer.log at server startup:
> [] DEBUG Principal = User:ANONYMOUS is Denied Operation = ClusterAction from
> host = 192.168.10.22 on resource = Cluster:kafka-cluster
> (kafka.authorizer.logger)
> and has the *consequence that it's impossible to authorize a producer*.
> Steps to reproduce :
> [~mimaison] and I launched a single broker and a console producer,
> using the SASL_PLAIN authentication between producer and broker.
> Created a topic "testtopic".
> The broker is configured with the SimpleAclAuthorizer
> and the ACL created for the producer is :
> ./kafkacls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add
> --allow-principal User:edo1 --producer --topic testtopic
> which results in :
> Current ACLs for resource `Topic:testtopic`:
> User:edo1 has Allow permission for operations: Write from hosts: *
> User:edo1 has Allow permission for operations: Describe from hosts: *
> Current ACLs for resource `Cluster:kafka-cluster`:
> User:edo1 has Allow permission for operations: Create from hosts: *
> However running the producer, we got:
> [] WARN Error while fetching metadata with correlation id 0 :
> {testtopic=UNKNOWN_TOPIC_OR_PARTITION}
> (org.apache.kafka.clients.NetworkClient)
> Looking at the code, the UpdateMedataRequest that the single broker sends to
> itself on startup,
> which come through as a request with User:ANONYMOUS get denied by the
> Authoriser
> (in KafkaApis.handleUpdateMetadataRequest)
> and the MetadataCache is never updated.
> When the first producer requests come through, in
> KafkaApis.handleTopicMetadataRequest
> the MetadataCache is empty and so we get UNKNOWN_TOPIC_OR_PARTITION.
> ================================
> configuration used:
> server.properties:
> listeners=PLAINTEXT://:9092,SASL_PLAINTEXT://:9093
> sasl.enabled.mechanisms=PLAIN
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> producer.properties
> bootstrap.servers=localhost:9093
> security.protocol=SASL_PLAINTEXT
> sasl.mechanism=PLAIN
> producer jaas.conf
> KafkaClient {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> serviceName="kafka"
> username="edo1"
> password="edo1pwd";
> };
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
