[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15961124#comment-15961124
 ] 

ASF GitHub Bot commented on METRON-819:
---------------------------------------

Github user nickwallen commented on the issue:

    https://github.com/apache/incubator-metron/pull/507
  
    The issues that I am having currently are with Quick Dev.  But I have 
actually been able to do this on a separate cluster in a slightly different 
way.  On the other cluster, I did not use the `--group` option when setting the 
ACL.  If I did set the group, then I had to ensure that the group matched what 
was used by the `kafka-console-producer`.
    
    So as a test, I granted access without the `--group`.
    
    1. Grant access.  Look ma, no group.
    ```
    [root@node1 ~]# kafka-acls.sh --authorizer 
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties 
zookeeper.connect=node1:2181 --add --allow-principal User:metron --topic yaf
    Adding ACLs for resource `Topic:yaf`:
        User:metron has Allow permission for operations: All from hosts: *
    
    Current ACLs for resource `Topic:yaf`:
        User:metron has Allow permission for operations: All from hosts: *
    ```
    
    2. Validate the ACL.  Looks good this time.
    ```
    [root@node1 ~]# kafka-acls.sh --list --topic yaf --authorizer-properties 
zookeeper.connect=node1:2181 --authorizer 
kafka.security.auth.SimpleAclAuthorizer
    Current ACLs for resource `Topic:yaf`:
        User:metron has Allow permission for operations: All from hosts: *
    
    ```
    
    3. And now I can send data successfully.
    ```
    [root@node1 ~]# echo "foo" | kafka-console-producer.sh --broker-list 
node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT
    [2017-04-07 17:05:28,830] WARN The TGT cannot be renewed beyond the next 
expiry date: Sat Apr 08 16:11:26 UTC 2017.This process will not be able to 
authenticate new SASL connections after that time (for example, it will not be 
able to authenticate a new connection with a Kafka Broker).  Ask your system 
administrator to either increase the 'renew until' time by doing : 'modprinc 
-maxrenewlife null ' within kadmin, or instead, to generate a keytab for null. 
Because the TGT's expiry cannot be further extended by refreshing, exiting 
refresh thread now. (org.apache.kafka.common.security.kerberos.KerberosLogin)
    ```
    



> Document kafka console producer parameter for sensors with kerberos
> -------------------------------------------------------------------
>
>                 Key: METRON-819
>                 URL: https://issues.apache.org/jira/browse/METRON-819
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Michael Miklavcic
>            Assignee: Michael Miklavcic
>
> Snort and Yaf use the Kafka console producer. These sensors need an 
> additional parameter to work with Kerberos.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)