[
https://issues.apache.org/jira/browse/KAFKA-6112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216973#comment-16216973
]
Jagadish Prasath Ramu commented on KAFKA-6112:
----------------------------------------------
Let me know if SSL + ACL is not supported.
> SSL + ACL does not seem to work
> -------------------------------
>
> Key: KAFKA-6112
> URL: https://issues.apache.org/jira/browse/KAFKA-6112
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.11.0.0, 0.11.0.1
> Reporter: Jagadish Prasath Ramu
>
> I'm trying to enable ACL for a cluster that has SSL based authentication
> setup.
> Similar issue (or exceptions) has been reported in the following JIRA:
> https://issues.apache.org/jira/browse/KAFKA-3687 (refer the last 2 exceptions
> that were posted after the issue was closed).
> error messages seen in Producer:
> {noformat}
> [2017-10-24 18:32:25,254] WARN Error while fetching metadata with correlation
> id 349 : {t1=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)
> [2017-10-24 18:32:25,362] WARN Error while fetching metadata with correlation
> id 350 : {t1=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)
> [2017-10-24 18:32:25,470] WARN Error while fetching metadata with correlation
> id 351 : {t1=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)
> [2017-10-24 18:32:25,575] WARN Error while fetching metadata with correlation
> id 352 : {t1=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)
> {noformat}
> security related kafka config.properties:
> {noformat}
> ssl.keystore.location=kafka.server.keystore.jks
> ssl.keystore.password=abc123
> ssl.key.password=abc123
> ssl.truststore.location=kafka.server.truststore.jks
> ssl.truststore.password=abc123
> ssl.client.auth=required
> ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
> ssl.keystore.type = JKS
> ssl.truststore.type = JKS
> security.inter.broker.protocol = SSL
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> allow.everyone.if.no.acl.found=false
> super.users=User:Bob;User:"CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX"
> listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093
> {noformat}
> client configuration file:
> {noformat}
> security.protocol=SSL
> ssl.truststore.location=kafka.client.truststore.jks
> ssl.truststore.password=abc123
> ssl.keystore.location=kafka.client.keystore.jks
> ssl.keystore.password=abc123
> ssl.key.password=abc123
> ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
> ssl.truststore.type=JKS
> ssl.keystore.type=JKS
> group.id=group-1
> {noformat}
> The debug messages of authorizer log does not show any "DENY" messages.
> {noformat}
> [2017-10-24 18:32:26,319] DEBUG operation = Create on resource =
> Cluster:kafka-cluster from host = 127.0.0.1 is Allow based on acl =
> User:CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX has Allow permission for
> operations: Create from hosts: 127.0.0.1 (kafka.authorizer.logger)
> [2017-10-24 18:32:26,319] DEBUG Principal =
> User:CN=localhost,OU=XXX,O=XXXX,L=XXX,ST=XX,C=XX is Allowed Operation =
> Create from host = 127.0.0.1 on resource = Cluster:kafka-cluster
> (kafka.authorizer.logger)
> {noformat}
> I have followed the scripts stated in the thread:
> http://comments.gmane.org/gmane.comp.apache.kafka.user/12619
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
