The super user is indeed for the broker to be able to do all the things it
needs to do. For consumers and producers you can set the correct rights
with the acl tool. http://kafka.apache.org/documentation.html#security_authz
On Tue, Mar 22, 2016 at 8:28 PM christopher palm
Hi Ismael,
Ok I got the basic authentication/ACL authorization for SSL working with
the principal Kafka.example.com
If that principal isn't in the server.properties as a super user, I was
seeing errors on broker startup.
In order to add new principals, the server.properties has to be updated
I only have experience with option 1. In this case it's simple. You provide
the location of the keystore in the properties, so you can use multiple
certificates for multiple clients. If you like this could even be in the
same application.
On Tue, Mar 22, 2016 at 3:13 AM Raghavan, Gopal
Hi Ismael,
Thanks for clarifying this with the example.
I tried it and it worked as you have described below !
I have a follow up question:
Producer (PR) and Consumer (CO) are running on two different Clients and
talking to broker (BR)
Goal: Multiple Principals (P1 .. Pn) should be able to
Hi Gopal,
As you suspected, you have to set the appropriate ACLs for it to work. The
following will make the producer work:
kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \
--add --allow-principal
"User:CN=kafka.example.com,OU=Client,O=Confluent,L=London,ST=London,C=GB"
\
>Hi Christopher,
>On Mon, Mar 21, 2016 at 3:53 PM, christopher palm wrote:
>> Does Kafka support SSL authentication and ACL authorization without
>> Kerberos?
>>
>Yes. The following branch modifies the blog example slightly to only allow
>SSL authentication.
Hi Christopher,
On Mon, Mar 21, 2016 at 3:53 PM, christopher palm wrote:
> Does Kafka support SSL authentication and ACL authorization without
> Kerberos?
>
Yes. The following branch modifies the blog example slightly to only allow
SSL authentication.
You can use SSL certificate hostname verification for rudimentary
authentication rather than Kerberos. The two can be used together or
independently.
On Mon, Mar 21, 2016 at 8:53 AM -0700, "christopher palm"
wrote:
Hi All,
Does Kafka support SSL
Hi All,
Does Kafka support SSL authentication and ACL authorization without
Kerberos?
If so, can different clients have their own SSL certificate on the same
broker?
In reading the following security article, it seems that Kerberos is an
option but not required if SSL is used.
Thanks,
Chris