Closed masterlittle closed 4 years ago
You seem to be missing
resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension
from
I do not want to use the security plugin. I'm implementing the open source version of this and would like to integrate the security controls without any enterprise thing.
The AclAuthorizer requires the security plugin.
Hi, I have setup basic auth for my schema-registry and it is working fine. I am using SASL PLAIN for auth within the cluster. Now I used schema-acl-cli to give permissions to the SASL users which are the same as the basic auth users with the same passwords. But when I make an API request, the user is able to access everything. The ACL auth is not working for the user. Is it possible for them to work seamlessly?
My schema-registry args:-
schema_registry_service_environment_overrides:
My schema-registry.properties:-
`Maintained by Ansible debug=False kafkastore.topic=_schemas access.control.allow.origin=*
Schema Registry Configuration listeners=http://0.0.0.0:8081 host.name=xxxx inter.instance.protocol=http
Kafka Broker Configuration kafkastore.bootstrap.servers=xxxx:9092 kafkastore.security.protocol=SASL_PLAINTEXT kafkastore.sasl.mechanism=PLAIN kafkastore.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="analytics" password="xxxxx";
authentication.method=BASIC authentication.roles=admin,readonly authentication.realm=SchemaRegistry-Props confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer`
My acls list:-
Current ACL's for Subject Operations are {analytics={*=[SUBJECT_READ]}, dataeng={vi=[SUBJECT_COMPATIBILITY_WRITE], vi-value=[SUBJECT_COMPATIBILITY_WRITE], vi-key=[SUBJECT_COMPATIBILITY_WRITE]}, schema-admin={*=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE]}, readonly={vi=[SUBJECT_READ, SUBJECT_COMPATIBILITY_READ], vi-value=[SUBJECT_READ, SUBJECT_COMPATIBILITY_READ], vi-key=[SUBJECT_READ, SUBJECT_COMPATIBILITY_READ]}, admin-dataeng={vi=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE], vi-value=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE], vi-key=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE]}} Current ACL's for Global Operations are {admin-dataeng=[GLOBAL_COMPATIBILITY_READ, GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ]}
My SASL users in ansible -
My jaas config file:-
SchemaRegistry-Props { org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required file="/etc/schema-registry/passwd" debug="true"; };
I'm really stumped on how to proceed on this. Any help would be appreciated!