search

SystemCraftsman / strimzi-kafka-cli

Command Line Interface for the Strimzi Kafka Operator
Apache License 2.0
78 stars 13 forks source link

Simple Authorization Issues #97

Closed rh-dford closed 2 years ago

rh-dford commented 2 years ago

I am using the tutorials and following the TLS AUth using CLI and Simple ACL Authorization using CLI. CLI Version: 0.1.0a59 Strimzi Version: 0.25.0 Kubectl Version: v1.22.0

I set up the cluster with CLI :kfk clusters --create --cluster my-cluster -n kafka I set up the topic: kfk topics --create --topic my-topic --partitions 12 --replication-factor 3 -n kafka -c my-cluster I run console consumer and producer and messages work.

I then alter to add the authorization: kfk clusters --alter --cluster my-cluster -n kafka image

I then run the console producer and get the failed authentication error.

I create an user - my-user kfk users --create --user my-user --authentication-type tls -n kafka -c my-cluster

Then I run the get_keys.sh script to create the two files trustore.jks and user.p12 I create the client config file: image

I then run the producer and consumer including client.properties file: kfk console-producer --topic my-topic -n kafka -c my-cluster --producer.config client.properties

Messages flow fine.

I then alter the kafka cluster to include authorization type: simple

I then try to run the producer and get the expected errors

I then alter the user: kfk users --alter --user my-user --authorization-type simple --add-acl --resource-type topic --resource-name my-topic -n kafka -c my-cluster

I get the following warning:

Warning: resource kafkausers/my-user is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.

Looking at the user via kfk users --describe --user my-user -n kafka -c my-cluster -o yaml

image

I can see the ACL included.

I then start the producer: kfk console-producer --topic my-topic -n kafka -c my-cluster --producer.config client.properties and when I send a message on the CLI : image

When I look at the logs in the kafka cluster pod I see:

INFO Principal = User:ANONYMOUS is Denied Operation = Describe from host = 10.129.2.39 on resource = Topic:LITERAL:my-topic for request = Metadata with resourceRefCount = 1 (kafka.authorizer.logger) [data-plane-kafka-request-handler-7]

So why does my console producer and consumer get authorized but in the authorization the user is ANONYMOUS?

rh-dford commented 2 years ago

Not sure if this matters but looking at the services created there is a port 9091 but I don't have a listener defined for it. image

rh-dford commented 2 years ago

Today I spun up a new openshift cluster in OpenTLC and ran through the AuthN and AuthZ demos and had the same experience

mabulgu commented 2 years ago

Today I spun up a new openshift cluster in OpenTLC and ran through the AuthN and AuthZ demos and had the same experience

Thanks Dave. Are those the same versions of amq streams btw? What are the exact versions for both clusters.

rh-dford commented 2 years ago

The client's version is 1.8.2 of AMQ streams. I already shut down the OpenTLC one so I didn't see what exact version but I think it was 1.8.4 Do you want me to spin up another cluster to get the version? If you wanted to test it out you could spin up an OpenTLC or RHPDS cluster

mabulgu commented 2 years ago

I guess this had been an issue with the relevant version. I tried out and saw no issues. Sorry for the latency in the response; I am the only contributor for now so🤷‍♂️