Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Topic creation and deletion are not protected after enabling Kerberos in Kafka

Labels:
avatar
author-rank iamabug
Contributor

Created on ‎08-22-2019 11:30 PM - last edited on ‎08-23-2019 09:10 AM by Community Manager Community Manager

I have enabled Kerberos authentication for Kafka as the documentation suggests and indeed producing to topics and consuming from topics requires authentication. Surprisingly, topic creation and deletion do not require authentication. Could somebody tell me whether this goes wrong ? Really appreciate it.

 

CDH version: 5.15.1

CDK version: 4.1.0

test command:

 

 

kafka-topics --create --zookeeper <zookeeper-host>:2181 --replication-factor 2 --partitions 3 --topic test2
kafka-topics --delete --zookeeper <zookeeper-host>:2181 --topic test2

 

 

 

3,248 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank w@leed author-rank
Rising Star

Created ‎08-23-2019 06:45 AM

Hi @iamabug 

It's a known limitation in Kafka where the kafka-topics tool communicates directly with Zookeeper. When you create a topic, all the tool does is connect to Zookeeper, creates a znode representing this topic and then sets some data as a JSON string (the metadata for the topic).

There has been work to develop Java admin clients which made some progress:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-117%3A+Add+a+public+AdminClient+API+for+Kafka+...

However, all that's left is to have command line tools that leverage those Java APIs and that's a work in progress:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-4+-+Command+line+and+centralized+administrativ...


View solution in original post

3,226 Views
0 Kudos
8 REPLIES 8

avatar
author-rank w@leed author-rank
Rising Star

Created ‎08-23-2019 06:45 AM

Hi @iamabug 

It's a known limitation in Kafka where the kafka-topics tool communicates directly with Zookeeper. When you create a topic, all the tool does is connect to Zookeeper, creates a znode representing this topic and then sets some data as a JSON string (the metadata for the topic).

There has been work to develop Java admin clients which made some progress:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-117%3A+Add+a+public+AdminClient+API+for+Kafka+...

However, all that's left is to have command line tools that leverage those Java APIs and that's a work in progress:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-4+-+Command+line+and+centralized+administrativ...


3,227 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-25-2019 11:59 AM

@iamabug 

There is a lot more than just kerberizing the cluster and you are good to go. Have you enabled SSL also? Can you share a tokenized version of the below files? Basically, the ACL in zk is the key to who can do what and usually the Kafka admin is the only one allowed!

 

  • server.properties [listeners, advertised.listeners,authorizer.class.name,sasl.enabled.mechanism and super.users]
  • Kafka_server_jaas.conf
  • Kafka_client_jaas.conf
  • kafka_client_kerberos.properties

Hope that helps

3,205 Views
0 Kudos

avatar
author-rank iamabug
Contributor

Created ‎08-26-2019 12:50 AM

Thanks for your answer. I now believe that ACL in Zookeeper may be the solution here.

3,193 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-26-2019 05:03 AM

@iamabug 

Are you now comfortable proceeding? If you need some help don't hesitate to ask.

3,185 Views
0 Kudos

avatar
author-rank iamabug
Contributor

Created ‎08-26-2019 05:07 AM

It's really nice of you. I would definitely ask for your help when something tricky comes up. Thank you very much.

3,183 Views
0 Kudos

avatar
author-rank WilsonLozano
Explorer

Created ‎02-19-2020 12:11 PM

@Shelton I have the same problem but with cloudera, do you know what procedure I should follow to configure the zookeeper ACL but with kafka and sentry? Thank you

2,984 Views
0 Kudos

avatar
ask_bill_brooks author-rank
Moderator

Created ‎02-19-2020 04:44 PM

@WilsonLozano,

 

As this thread is older and was marked 'Solved back in August of 2019 you would have a better chance of receiving a resolution by starting a new thread. This will also provide the opportunity to provide details specific to your environment, version of CDH, etc. that could aid others in providing a more accurate answer to your question. 

 

 

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
2,954 Views

avatar
author-rank iamabug
Contributor

Created ‎08-26-2019 12:46 AM

Thanks.

3,196 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements