Error while adding ACLs for users not managed by UserOperator

[arpan57]

I have configured the strimzi with external CA. I have created an SSL certificate for my-user, and got it signed by CA. I could create the keystore and could authenticate it while using console producer and consumer by passing the client.properties(keystore/truststore,etc) Since the users are managed externally (=client's certificates are managed externally), I have removed the Useroperator. Also I have also removed the TopicOperator from the cluster YAML definition. Now, I want to achieve three things

(1) I want to enable my-user to access to my-topic (Read/Write) (2) I want to grant only my-user to have power to create topics on the cluster (3) I want to grant only my-user to have power to modify ACLs in future.

How do I go about them?

I tried giving permission to my-user to read/write my-topic with Strimzi CLI but I get an error

kfk acls --add --allow-principal User:CN=my-user,O=KafkaSecurity,L=Prague,C=CZ --operation WRITE --topic my-topic -c my-cluster -n kafka Error from server (NotFound): kafkausers.kafka.strimzi.io "CN=my-user,O=KafkaSecurity,L=Prague,C=CZ" not found

$ keytool -list -keystore ./user.p12 -v
Alias name: my-user
Creation date: 01-Aug-2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=my-user, O=KafkaSecurity, L=Prague, C=CZ
Issuer: CN=IntermediateCA, O=KafkaSecurity, L=Prague, C=CZ

Not sure what am I missing here.

[mabulgu]

Hi @arpan57,

Strimzi CLI only deals with internal users, and so the Strimzi itself should be. I am not sure if you can use external users with Strimzi. You open a new issue for the question from here: https://github.com/strimzi/strimzi-kafka-operator/issues

Feel free to close this issue if my answer satisfies you.

[mabulgu]

@arpan57 I am closing this since I did not hear you for some time. Feel free to open another issue for this if you still feel it is not resolved. Thanks