[bitnami/kafka] ACL rules

[ozahavi]

Name and Version

bitnami/kafka 26.3.1

What architecture are you using?

None

What steps will reproduce the bug?

I have configured my Kafka cluster with two topics and two users, but I cannot understand from the docs where I should configure the actual ACL and assign each user permissions to a topic (ACL rules).

Are you using any custom parameters or values?

(
      {
        service = {
          headless = {
            publishNotReadyAddresses = true
          }
        }

        extraConfig = [
          {
            authorizerClassName="kafka.security.auth.SimpleAclAuthorizer"
          }
        ]

        kraft = {
          enabled = true
        }

        provisioning = {
          enabled           = true
          numPartitions     = 2
          replicationFactor = 3
          topics            = ["topic1","topic2"]
        }

        controller = {
          replicaCount = 2
        }

        broker = {
          replicaCount = 2
        }

        sasl = {
          client = {
            users     = ["user1", "user2"]
            passwords = ["pass1", "pass2"]
          }
        }
    })

[javsalgar]

Hi,

Did you try the provisioning.extraProvisioningCommands value? There you could configure extra settings for the topic

[ozahavi]

Hi,

Did you try the provisioning.extraProvisioningCommands value? There you could configure extra settings for the topic

Nope, I was thinking of configuring it via extraConfig similar to the way I configured authorizerClassName. The question is, what are the needed keys and the structure that need to be added in?

[javsalgar]

Hi,

It seems that this question is more related to the usage of Kafka itself rather than the Bitnami packaging of the application. Did you check the Kafka documentation or their support page?

[ozahavi]

I finally found an example for setting ACLs on values.yaml - https://github.com/bitnami/charts/blob/main/bitnami/kafka/values.yaml#L2110C1-L2124.

It seems to work, but I am now running into a different issue with the authorizer. From the provisioner job logs - Error while executing ACL command: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured.

I am configuring the authorizer according to - https://github.com/bitnami/charts/blob/main/bitnami/kafka/README.md?plain=1#L1125-L1152, like this

        extraConfig = {
            authorizerClassName = "kafka.security.auth.StandardAuthorize"
        }

When looking at the server.properties file the authorizer row looks odd as it's structure is different from all other of the configurations.

authorizerClassName: kafka.security.auth.StandardAuthorizer

Any idea what might I be doing wrong?

[FraPazGal]

Hello @ozahavi, could it be you are parsing the extraConfig param as an array? It expects a single string so it should be something like this:

$ helm install kafka oci://registry-1.docker.io/bitnamicharts/kafka --set extraConfig="authorizerClassName=kafka.security.auth.StandardAuthorizer",...

[ozahavi]

Hello @ozahavi, could it be you are parsing the extraConfig param as an array? It expects a single string so it should be something like this:

$ helm install kafka oci://registry-1.docker.io/bitnamicharts/kafka --set extraConfig="authorizerClassName=kafka.security.auth.StandardAuthorizer",...

Tried with a string, this is how it looks in the values.yaml -

extraConfig: authorizerClassName=kafka.security.auth.StandardAuthorizer

And this is how it looks on the config map -

listener.name.client.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required user_telemetry="password-placeholder-0" user_mlops="password-placeholder-1";
listener.name.client.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;
listener.name.client.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;
listener.name.internal.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="inter_broker_user" password="interbroker-password-placeholder" user_inter_broker_user="interbroker-password-placeholder" user_2="password-placeholder-0" user_1="password-placeholder-1";
listener.name.internal.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="inter_broker_user" password="interbroker-password-placeholder";
listener.name.internal.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="inter_broker_user" password="interbroker-password-placeholder";
# End of SASL JAAS configuration
authorizerClassName=kafka.security.auth.StandardAuthorizer

And still getting this in the provisioning log -

Error while executing ACL command: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured.
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured.

[ozahavi]

@FraPazGal @javsalgar any suggestions?

[FraPazGal]

I think this comes from a syntax error. Going by Kafka's documentation, you should be using the following syntax:

authorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer

#### Using it our chart ####
$ helm install kafka oci://registry-1.docker.io/bitnamicharts/kafka --set extraConfig="authorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer",...

It's possible you got confused by our README, as authorizerClassName was a custom parameter we used that was later on parsed for Kafka (see that https://github.com/bitnami/charts/blob/main/bitnami/kafka/README.md?plain=1#L1125-L1152 refers to deprecated settings of our chart).

Could you try using the official syntax? If the issue persist please share with an updated values info to help us reproduce the error on our side.