search

confluentinc / confluent-kafka-go

Confluent's Apache Kafka Golang client
Apache License 2.0
4.59k stars 653 forks source link

kafka recive Wrong User #322

Closed lougxing closed 5 years ago

lougxing commented 5 years ago

Description

  1. add user testuser1 testuser2 ;
  2. set acl for testuser1 topic=kafkatest1 allow-host=1.2.3.4 group=default-group
  3. set acl for testuser2 topic=kafkatest2 allow-host=1.2.3.4 group=default-group
/home/s/kafka/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=:2181 --add --allow-principal User:testuser1 --operation Read --topic kafkatest1 --allow-host 1.2..3.4 --group default-group

/home/s/kafka/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=:2181 --add --allow-principal User:testuser2 --operation Read --topic kafkatest2 --allow-host 1.2..3.4 --group default-group
  1. with user=testuser1 and group=default-group, consume topic=kafkatest1 on host=1.2.3.4, it's ok.

  2. but, with user=testuser2 and group=default-group, consume topic=kafkatest2 on host=1.2.3.4, someone broker's kafka-authorizer.log print:

    [2019-04-11 20:20:19,051] INFO Principal = User:testuser1 is Denied Operation = Describe from host = 1.2.3.4 on resource = Topic:LITERAL:kafkatest2 (kafka.authorizer.logger)

And, the User is error, it should be testuser2.

How to reproduce

th cluster has 5 brokers the config is:

listeners=SASL_PLAINTEXT://:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
sasl.enabled.mechanisms=SCRAM-SHA-256

allow.everyone.if.no.acl.found=false
super.users=User:superuser
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

Checklist

Please provide the following information:

edenhill commented 5 years ago

Authorization is performed by the broker and is outside the control of the client, the client simply provides its username/password for authentication.