Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-6972

Kafka ACL does not work expected with wildcard

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Information Provided
    • Affects Version/s: 0.11.0.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None
    • Environment:
      OS : CentOS 7, 64bit.
      Confluent : 3.3, Kafka 0.11.

      Description

      Just started with Confluent 3.3 platform and Kafka 0.11 having SSL as transportation security and Kerberos to restrict the access control based on the holding principals. In order to make life easier, wildcard is extensively used in my environment. But it turned out that is not working as expected. 

      My issue is that when I run the command kafka-acls under one directory with some files, this command would pick up the name of first file as the topic name or group name. e.g. In my case, abcd.txt would be chosen while giving my principal connect-consumer the permissions of consuming message from any topic with any group Id.

      [quality@data-pipeline-1 test_dir]$ KAFKA_OPTS=-Djava.security.auth.login.config='/etc/security/jaas/broker-jaas.conf' kafka-acls --authorizer-properties zookeeper.connect=data-pipeline-1.orion.com:2181 --add --allow-principal User:connect-consumer --consumer --topic * --group *
      Adding ACLs for resource `Topic:abcd.txt`:
      User:connect-consumer has Allow permission for operations: Describe from hosts: *
      User:connect-consumer has Allow permission for operations: Read from hosts: *

      Adding ACLs for resource `Group:abcd.txt`:
      User:connect-consumer has Allow permission for operations: Read from hosts: *

      Current ACLs for resource `Topic:abcd.txt`:
      User:connect-consumer has Allow permission for operations: Describe from hosts: *
      User:connect-consumer has Allow permission for operations: Read from hosts: *
      User:connect-consumer has Allow permission for operations: Write from hosts: *

      Current ACLs for resource `Group:abcd.txt`:
      User:connect-consumer has Allow permission for operations: Read from hosts: *

       

      My current work around solution is changing command context to an empty directory and run above command, it works as expected. 

       

        Attachments

          Activity

            People

            • Assignee:
              sliebau Sönke Liebau
              Reporter:
              Soyee Soyee Deng
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: