I'm working through a kafka implementation. I'm having issues with the
ssl.principal.mapping.rules configuration.
I've successfully started up Kafka with the SSL encrypt/authenticate in place
and I've successfully set up the super user using the full principal name. The
issue arises when I flip on the ssl.principal.mapping rules. As soon as I
implement this I can no longer access my topics as a super-user. When I disable
the ssl.principal.mapping.rules and go back to the full principal name I cannot
view my topics. Below is my config and error I'm seeing. This was working fine
until I added the ssl.principal.mapping.rules=RULE:^CN=(.*?)$/$1/U,DEFAULT
section. Yes, the cert cn is 'CN=TESTINSTANCE'
#CONFIG
broker.id=1
# SOCKET SERVER SETTINGS
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
# TLS
listeners=INTERNAL://0.0.0.0:9092,EXTERNAL://0.0.0.0:9093
advertised.listeners=INTERNAL://kaf1:9092,EXTERNAL://kaf1pub:9093
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
ssl.endpoint.identification.algorithm=
ssl.client.auth=required
ssl.keystore.location=/directory/to/key.jks
ssl.keystore.password=
ssl.key.password=
ssl.truststore.location=/directory/to/trust.jks
ssl.truststore.password=
# LOG BASICS
log.dirs=/directory/to/log
num.partitions=1
num.recovery.threads.per.data.dir=1
# INTERNAL TOPIC SETTINGS
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
auto.create.topics.enable=false
delete.topic.enable=true
# LOG RETENTION POLICY
log.retention.hours=168
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
# TLS KAFKA to ZOOKEEPER
zookeeper.connect=testzoo:2182/chroot
zookeeper.connection.timeout.ms=6000
zookeeper.ssl.client.enable=true
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.keystore.location=/directory/to/key.jks
zookeeper.ssl.keystore.password=
zookeeper.ssl.truststore.location=/directory/to/trust.jks
zookeeper.ssl.truststore.password=
# GROUP COORDINATOR SETTINGS
group.initial.rebalance.delay.ms=0
# ACL SETTINGS
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
# For name mapping on principal
super.users=User:TESTINSTANCE
allow.everyone.if.no.acl.found=false
ssl.principal.mapping.rules=RULE:^CN=(.*?)$/$1/U,DEFAULT
Error Msg:
Error while executing topic command :
org.apache.kafka.common.errors.TimeoutException: Call(callName=listTopics,
deadlineMs=1589471487877) timed out at 1589471487878 after 1 attempt(s)
[2020-05-14 15:51:27,882] ERROR java.util.concurrent.ExecutionException:
org.apache.kafka.common.errors.TimeoutException: Call(callName=listTopics,
deadlineMs=1589471487877) timed out at 1589471487878 after 1 attempt(s)
at
org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at
org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at
org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
at
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
at
kafka.admin.TopicCommand$AdminClientTopicService.getTopics(TopicCommand.scala:333)
at
kafka.admin.TopicCommand$AdminClientTopicService.listTopics(TopicCommand.scala:252)
at kafka.admin.TopicCommand$.main(TopicCommand.scala:66)
at kafka.admin.TopicCommand.main(TopicCommand.scala)
Caused by: org.apache.kafka.common.errors.TimeoutException:
Call(callName=listTopics, deadlineMs=1589471487877) timed out at 1589471487878
after 1 attempt(s)
Caused by: org.apache.kafka.common.errors.TimeoutException: Timed out waiting
for a node assignment.
(kafka.admin.TopicCommand$)
Jonathan Goings | Database Administrator, Adv
NOTICE: This electronic mail message and any files transmitted with it are
intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged
information.
Any unauthorized review, use, printing, saving, copying, disclosure or
distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
