Raghu,
It could be because the principal used for inter broker communication
doesn't have all the necessary permissions. If you are using PLAINTEXT for
inter-broker, the principal is ANONYMOUS, if using SSL, it would be similar
to the one you are setting for client. You can configure broker principal
as super.users to give full access.
On Fri, Dec 16, 2016 at 10:16 PM, Raghu B <raghu98...@gmail.com> wrote:
> Thank you Rajani, your suggestion is really helpful.
>
>
> [2016-12-16 21:55:36,720] DEBUG Principal =
> User:CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown is
> Allowed Operation = Create from host = 172.28.89.63 on resource =
> Cluster:kafka-cluster (kafka.authorizer.logger)
>
> Finally I am getting the user as exactly what I set in my SSL-Cert (Not
> Anonymous).
>
> But, I am getting another Error i.e
>
>
> [2016-12-16 13:55:36,449] WARN Error while fetching metadata with
> correlation id 45 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
> (org.apache.kafka.clients.NetworkClient)
> [2016-12-16 13:55:36,609] WARN Error while fetching metadata with
> correlation id 46 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
> (org.apache.kafka.clients.NetworkClient)
> [2016-12-16 13:55:36,766] WARN Error while fetching metadata with
> correlation id 47 : {my-ssl-topic=LEADER_NOT_AVAILABLE}
> (org.apache.kafka.clients.NetworkClient)
>
>
> I created the topic and my kafka node is working without any issues (I
> restarted several time)
>
> [raghu@Kafka-238343-1-33109167 kafka_2.11-0.10.1.0]$ *bin/kafka-topics.sh
> --describe --zookeeper localhost:2181 --topic my-ssl-topic*
>
> Topic:my-ssl-topic PartitionCount:1 ReplicationFactor:1 Configs:
> Topic: my-ssl-topic Partition: 0 Leader: 0 Replicas: 0 Isr: 0
>
> Thanks in advance,
> Raghu
>
>
> On Fri, Dec 16, 2016 at 1:30 AM, Rajini Sivaram <rsiva...@pivotal.io>
> wrote:
>
> > You need to set ssl.client.auth="required" in server.properties.
> >
> > Regards,
> >
> > Rajini
> >
> > On Wed, Dec 14, 2016 at 12:12 AM, Raghu B <raghu98...@gmail.com> wrote:
> >
> > > Hi All,
> > >
> > > I am trying to enable ACL's in my Kafka cluster with along with SSL
> > > Protocol.
> > >
> > > I tried with each and every parameters but no luck, so I need help to
> > > enable the SSL(without Kerberos) and I am attaching all the
> configuration
> > > details in this.
> > >
> > > Kindly Help me.
> > >
> > >
> > > *I tested SSL without ACL, it worked fine
> > > (listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>)*
> > >
> > >
> > > *This is my Kafka server properties file:*
> > >
> > > *############################# ACL SETTINGS
> > #############################*
> > >
> > > *auto.create.topics.enable=true*
> > >
> > > *authorizer.class.name
> > > <http://authorizer.class.name>=kafka.security.auth.
> SimpleAclAuthorizer*
> > >
> > > *security.inter.broker.protocol=SSL*
> > >
> > > *#allow.everyone.if.no.acl.found=true*
> > >
> > > *#principal.builder.class=CustomizedPrincipalBuilderClass*
> > >
> > > *#super.users=User:"CN=writeuser,OU=Unknown,O=
> > > Unknown,L=Unknown,ST=Unknown,C=Unknown"*
> > >
> > > *#super.users=User:Raghu;User:Admin*
> > >
> > > *#offsets.storage=kafka*
> > >
> > > *#dual.commit.enabled=true*
> > >
> > > *listeners=SSL://10.247.195.122:9093 <http://10.247.195.122:9093>*
> > >
> > > *#listeners=PLAINTEXT://10.247.195.122:9092 <
> http://10.247.195.122:9092
> > >*
> > >
> > > *#listeners=PLAINTEXT://10.247.195.122:9092
> > > <http://10.247.195.122:9092>,SSL://10.247.195.122:9093
> > > <http://10.247.195.122:9093>*
> > >
> > > *#advertised.listeners=PLAINTEXT://10.247.195.122:9092
> > > <http://10.247.195.122:9092>*
> > >
> > >
> > > *
> > > ssl.keystore.location=/home/raghu/kafka/security/server.keystore.jks*
> > >
> > > * ssl.keystore.password=123456*
> > >
> > > * ssl.key.password=123456*
> > >
> > > *
> > > ssl.truststore.location=/home/raghu/kafka/security/server.
> > truststore.jks*
> > >
> > > * ssl.truststore.password=123456*
> > >
> > >
> > >
> > > *Set the ACL from Authorizer CLI:*
> > >
> > > > *bin/kafka-acls.sh --authorizer-properties
> > > zookeeper.connect=10.247.195.122:2181 <http://10.247.195.122:2181>
> > --list
> > > --topic ssltopic*
> > >
> > > *Current ACLs for resource `Topic:ssltopic`: *
> > >
> > > * User:CN=writeuser, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown,
> > > C=Unknown has Allow permission for operations: Write from hosts: * *
> > >
> > >
> > > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-producer.sh
> > > --broker-list 10.247.195.122:9093 <http://10.247.195.122:9093> --topic
> > > ssltopic --producer.config client-ssl.properties*
> > >
> > >
> > > *[2016-12-13 14:53:45,839] WARN Error while fetching metadata with
> > > correlation id 0 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION}
> > > (org.apache.kafka.clients.NetworkClient)*
> > >
> > > *[2016-12-13 14:53:45,984] WARN Error while fetching metadata with
> > > correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION}
> > > (org.apache.kafka.clients.NetworkClient)*
> > >
> > >
> > > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ cat client-ssl.properties*
> > >
> > > *#group.id <http://group.id>=sslgroup*
> > >
> > > *security.protocol=SSL*
> > >
> > > *ssl.truststore.location=/Users/rbaddam/Desktop/Dev/
> > > kafka_2.11-0.10.1.0/ssl/client.truststore.jks*
> > >
> > > *ssl.truststore.password=123456*
> > >
> > > * #Configure Below if you use Client Auth*
> > >
> > >
> > > *ssl.keystore.location=/Users/rbaddam/Desktop/Dev/kafka_2.
> > > 11-0.10.1.0/ssl/client.keystore.jks*
> > >
> > > *ssl.keystore.password=123456*
> > >
> > > *ssl.key.password=123456*
> > >
> > >
> > > *XXXWMXXX-7:kafka_2.11-0.10.1.0 rbaddam$ bin/kafka-console-consumer.sh
> > > --bootstrap-server 10.247.195.122:9093 <http://10.247.195.122:9093>
> > > --new-consumer --consumer.config client-ssl.properties --topic ssltopic
> > > --from-beginning*
> > >
> > > *[2016-12-13 14:53:28,817] WARN Error while fetching metadata with
> > > correlation id 1 : {ssltopic=UNKNOWN_TOPIC_OR_PARTITION}
> > > (org.apache.kafka.clients.NetworkClient)*
> > >
> > > *[2016-12-13 14:53:28,819] ERROR Unknown error when running consumer:
> > > (kafka.tools.ConsoleConsumer$)*
> > >
> > > *org.apache.kafka.common.errors.GroupAuthorizationException: Not
> > > authorized
> > > to access group: console-consumer-52826*
> > >
> > >
> > > Thanks in advance,
> > >
> > > Raghu - raghu98...@gmail.com
> > >
> >
>
--
Regards,
Rajini
