Closed fpunzohig closed 1 year ago
Can you reupload the inventory file, is possible? The formatting got messed up a bit. Also, pls have a look at this doc for configuring acl using kafka_broker_custom_properties var in ansible - https://docs.confluent.io/platform/current/kafka/authorization.html#authorization-using-acls Here's a test file where we are configuring acls - https://github.com/confluentinc/cp-ansible/blob/7.2.2-post/molecule/mtls-ubuntu-acl/molecule.yml
Hello all. I am trying to complete a poc in which we are implementing a secure Kafka cluster. So far I have SSL and SASL Plain working without issue. The last step is to add ACLs to our "sensitive data" topics so only certain users can see them. I have attached our working hosts.yml file at the bottom for reference. This creates a working installation. However with this config, issuing the kafka-acls command results in the following error (below).
Error while executing ACL command: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured on the broker. java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured on the broker. at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45) at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32) at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89) at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260) at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$3(AclCommand.scala:112) at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:563) at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:561) at scala.collection.AbstractIterable.foreach(Iterable.scala:919) at scala.collection.IterableOps$WithFilter.foreach(Iterable.scala:889) at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$1(AclCommand.scala:109) at kafka.admin.AclCommand$AdminClientService.addAcls(AclCommand.scala:108) at kafka.admin.AclCommand$.main(AclCommand.scala:70) at kafka.admin.AclCommand.main(AclCommand.scala) Caused by: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured on the broker.
To try and fix this, I added the following custom broker properties to the hosts.yml. You can see where I added it in the Working hosts.yml below (it's commented out).
However, when I add these custom properties, the ansible install fails with the following error in the ansible play and all of the client commands fail with socket timeout errors :
The server.log output is the following
Question: can someone help me with the configuration to add to hosts.yml which will allow me to utilize the kafka-acls command to add acls? This is for a 1 way tls with sasl plain setup?
Working hosts.yml
kafka_broker_custom_properties:
authorizer.class.name: kafka.security.authorizer.AclAuthorizer
super.users: User:admin;User:schema_registry
zookeeper: hosts: