Menu
My version of kafka is 0.9.0.1 and I have two brokers: 192.168.1.100, 192.168.1.101 which are using ssl to authenticate and encrypt.
I had a topic named test09 and client ip is 192.168.1.102
When i add an acl with the command line interface like this:
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --deny-principal User:* --deny-host 192.168.1.102 --operation Read --topic test09
the consumer from 192.168.1.102 can still get data.
Can someone tell me how to use ACLs in kafka?
917
asked Mar 03 '16 10:03
Currently, ACLs are stored on ZK under path /kafka-acl/<resource-type>/<resource-name>. For example: ACLs for topic 'topicName' will be stored under '/kafka-acl/Topic/topicName'. ACLs for consumer group 'group:Id' will be stored under '/kafka-acl/Group/group:Id'.
Access Control Lists (ACLs) provide important authorization controls for your enterprise's Apache Kafka® cluster data.
You can use the --remove flag of kafka-acl tool, which removes all the acls applied to the topic. Simply loop the command through all the topics. Show activity on this post. You can use kafka-acls --bootstrap-server kafka:9092 --remove --topic * .
Kafka uses SASL to perform authentication. It currently supports many mechanisms including PLAIN , SCRAM , OAUTH and GSSAPI and it allows administrator to plug custom implementations. Authentication can be enabled between brokers, between clients and brokers and between brokers and ZooKeeper.
I believe you have missed to add the below property in Server.properties
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
-- Adding this line would enable the ACL to work via SimpleAclAuthorizer. -- Kafka by default comes with the kafka.security.auth.SimpleAclAuthorizer defined by the parameter authorizer.class.name.
You can try the below setup which might give complete idea.
https://github.com/Symantec/kafka-security-0.9
66
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
