Re: Security with SSL and not Kerberos?

The super user is indeed for the broker to be able to do all the things it needs to do. For consumers and producers you can set the correct rights with the acl tool. http://kafka.apache.org/documentation.html#security_authz On Tue, Mar 22, 2016 at 8:28 PM christopher palm

Re: Security with SSL and not Kerberos?

Hi Ismael, Ok I got the basic authentication/ACL authorization for SSL working with the principal Kafka.example.com If that principal isn't in the server.properties as a super user, I was seeing errors on broker startup. In order to add new principals, the server.properties has to be updated

Re: Security with SSL and not Kerberos?

I only have experience with option 1. In this case it's simple. You provide the location of the keystore in the properties, so you can use multiple certificates for multiple clients. If you like this could even be in the same application. On Tue, Mar 22, 2016 at 3:13 AM Raghavan, Gopal

Re: Security with SSL and not Kerberos?

Hi Ismael, Thanks for clarifying this with the example. I tried it and it worked as you have described below ! I have a follow up question: Producer (PR) and Consumer (CO) are running on two different Clients and talking to broker (BR) Goal: Multiple Principals (P1 .. Pn) should be able to

Re: Security with SSL and not Kerberos?

Hi Gopal, As you suspected, you have to set the appropriate ACLs for it to work. The following will make the producer work: kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 \ --add --allow-principal "User:CN=kafka.example.com,OU=Client,O=Confluent,L=London,ST=London,C=GB" \

Re: Security with SSL and not Kerberos?

>Hi Christopher, >On Mon, Mar 21, 2016 at 3:53 PM, christopher palm wrote: >> Does Kafka support SSL authentication and ACL authorization without >> Kerberos? >> >Yes. The following branch modifies the blog example slightly to only allow >SSL authentication.

Re: Security with SSL and not Kerberos?

Hi Christopher, On Mon, Mar 21, 2016 at 3:53 PM, christopher palm wrote: > Does Kafka support SSL authentication and ACL authorization without > Kerberos? > Yes. The following branch modifies the blog example slightly to only allow SSL authentication.

Re: Security with SSL and not Kerberos?

You can use SSL certificate hostname verification for rudimentary authentication rather than Kerberos. The two can be used together or independently. On Mon, Mar 21, 2016 at 8:53 AM -0700, "christopher palm" wrote: Hi All, Does Kafka support SSL

Security with SSL and not Kerberos?

Hi All, Does Kafka support SSL authentication and ACL authorization without Kerberos? If so, can different clients have their own SSL certificate on the same broker? In reading the following security article, it seems that Kerberos is an option but not required if SSL is used. Thanks, Chris