It seems to be conflicting when I try running the commands on the same box as where Kafka is running. I think it was inheriting Kafka's principal somehow and not the kafkaclient principal. When moving to another box all seems to work ! An odd one I see if I can reproduce and open a JIRA
On 17 Feb. 2017 4:54 pm, "Manikumar" <manikumar.re...@gmail.com> wrote: Pl enable authorizer logs ( config/log4j.properties) and check if operations are getting denied. Also, enable producer debug logs (config/tools-log4j.properties) to check for any errors. On Fri, Feb 17, 2017 at 10:34 AM, Stephane Maarek < steph...@simplemachines.com.au> wrote: > Hi, > > I secured my cluster and everything was working fine. Brokers are up and > don’t complain, my topics are all synchronized. > > Here’s my config (excerpt): > listeners= > PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093,SASL_PLAINTEXT://0.0.0.0:9094 > ,SASL_SSL://0.0.0.0:9095 > super.users=User:kafka;User:ANONYMOUS > > I can publish and read messages from port 9092, but when trying on 9094 I > get the following errors: > > /etc/kafka# KAFKA_OPTS="-Djava.security.krb5.conf=/etc/kafka/krb5.conf > -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf" > kafka-console-producer --topic sasltest --broker-list localhost:9094 > --producer-property security.protocol=SASL_PLAINTEXT --producer-property > sasl.mechanism=GSSAPI --producer-property sasl.kerberos.service.name=kafka > hi > [2017-02-17 04:41:47,275] ERROR Error when sending message to topic > sasltest with key: null, value: 2 bytes with error: > (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) > org.apache.kafka.common.errors.TimeoutException: Failed to update metadata > after 60000 ms. > > > I did permission my user using the following: > > root@ip-10-13-80-172:/# > KAFKA_OPTS="-Djava.security.krb5.conf=/etc/kafka/krb5.conf > -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf" > kafka-acls --add --allow-principal User:sa_sasltest_dev_1 > --authorizer-properties zookeeper.connect=zoo1:2181/kafka-xfs --producer > --topic sasltest > Adding ACLs for resource `Topic:sasltest`: > User:sa_sasltest_dev_1 has Allow permission for operations: Write from > hosts: * > User:sa_sasltest_dev_1 has Allow permission for operations: Describe > from hosts: * > > Adding ACLs for resource `Cluster:kafka-cluster`: > User:sa_sasltest_dev_1 has Allow permission for operations: Create > from hosts: * > > Current ACLs for resource `Topic:sasltest`: > User:sa_sasltest_dev_1 has Allow permission for operations: Write from > hosts: * > User:sa_sasltest_dev_1 has Allow permission for operations: Describe > from hosts: * > > root@ip-10-13-80-172:/# > KAFKA_OPTS="-Djava.security.krb5.conf=/etc/kafka/krb5.conf > -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf" > kafka-acls --add --allow-principal User:sa_sasltest_dev_1 > --authorizer-properties zookeeper.connect=zoo1:2181/kafka-xfs --consumer > --topic sasltest --group sasltest-1 > Adding ACLs for resource `Topic:sasltest`: > User:sa_sasltest_dev_1 has Allow permission for operations: Describe > from hosts: * > User:sa_sasltest_dev_1 has Allow permission for operations: Read from > hosts: * > > Adding ACLs for resource `Group:sasltest-1`: > User:sa_sasltest_dev_1 has Allow permission for operations: Read from > hosts: * > > Current ACLs for resource `Topic:sasltest`: > User:sa_sasltest_dev_1 has Allow permission for operations: Write from > hosts: * > User:sa_sasltest_dev_1 has Allow permission for operations: Describe > from hosts: * > User:sa_sasltest_dev_1 has Allow permission for operations: Read from > hosts: * > > Current ACLs for resource `Group:sasltest-1`: > User:sa_sasltest_dev_1 has Allow permission for operations: Read from > hosts: * > > > *Am I missing some permissions? Do you have any idea what could be wrong?* > > Thanks for the help you’ve given me so far! > Stephane >