Hi, Did you set
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer as described here at http://docs.confluent.io/current/kafka/authorization.html#further-configuration HTH, Tom On 11 June 2017 at 04:40, linbo liao <llbg...@gmail.com> wrote: > Hi, > > I try to set Kafka ACL for topic access permission followed by kafka > security document <http://kafka.apache.org/documentation/#security_authz>, > but looks deny acl doesn't work. > > *My Environment:* > > VM: Ubuntu 12.04 LTS x86_64 > JAVA: openjdk version "1.8.0_111" > Kafka: kafka_2.12-0.10.2.1 > > I setup one broker, and use kafka-console-consumer.sh and > kafka-console-producer.sh to test. > > *Broker setup:* > > broker startup script already add jaas parameter > > $ cat kafka_server_jaas.conf > > > KafkaServer { > > org.apache.kafka.common.security.plain.PlainLoginModule > > required > > username="admin" > > password="admin" > > user_admin="admin" > > user_alice="alice"; > > }; > > > > config/server.properties > > listeners=SASL_PLAINTEXT://0.0.0.0:9092 > > security.inter.broker.protocol=SASL_PLAINTEXT > > sasl.mechanism.inter.broker.protocol=PLAIN > > sasl.enabled.mechanisms=PLAIN > > > > > *Client setup:* > producer/consumer startup script already add jaas parameter > > $ cat client_jaas.conf > > > KafkaClient { > > org.apache.kafka.common.security.plain.PlainLoginModule required > > username="alice" > > password="alice"; > > }; > > > config/consumer.properties & config/producer.properties > > > security.protocol=SASL_PLAINTEXT > > sasl.mechanism=PLAIN > > > > > 1. create topic > > $ bin/kafka-topics.sh --create --zookeeper localhost:2181 > > --replication-factor 1 --partitions 1 --topic test > > > > 2. setup topic acl > > $ bin/kafka-acls.sh --authorizer-properties > > zookeeper.connect=localhost:2181 --list --topic test > > Current ACLs for resource `Topic:test`: > > User:alice has Allow permission for operations: Write from hosts: > > 127.0.0.1 > > User:alice has Deny permission for operations: Read from hosts: * > > > > Although I deny Read permission for user alice from all host, I start > consumer still can receive message. > > produce a message "test" > > > $ bin/kafka-console-producer.sh --broker-list localhost:9092 > > --producer.config config/producer.properties --topic test > > test > > > > consumer receive this message > > $ bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic > > test --consumer.config config/consumer.properties --from-beginning > > [2017-06-11 03:37:55,998] WARN The configuration 'zookeeper.connect' was > > supplied but isn't a known config. > > (org.apache.kafka.clients.consumer.ConsumerConfig) > > [2017-06-11 03:37:55,999] WARN The configuration ' > > zookeeper.connection.timeout.ms' was supplied but isn't a known config. > > (org.apache.kafka.clients.consumer.ConsumerConfig) > > test > > > > Why deny read operation doesn't work, do I miss something? > > Thanks, > Linbo >
