search

confluentinc / schema-registry

Confluent Schema Registry for Kafka
https://docs.confluent.io/current/schema-registry/docs/index.html
Other
2.2k stars 1.11k forks source link

ACL Authorization not working in conjunction with Basic Auth #1399

Closed masterlittle closed 4 years ago

masterlittle commented 4 years ago

Hi, I have setup basic auth for my schema-registry and it is working fine. I am using SASL PLAIN for auth within the cluster. Now I used schema-acl-cli to give permissions to the SASL users which are the same as the basic auth users with the same passwords. But when I make an API request, the user is able to access everything. The ACL auth is not working for the user. Is it possible for them to work seamlessly?

My schema-registry args:-

schema_registry_service_environment_overrides:

SCHEMA_REGISTRY_HEAP_OPTS: "-Xmx1000M". 

SCHEMA_REGISTRY_OPTS: "{{ "-Djava.security.auth.login.config=/etc/schema-registry/jaas_config.file" | java_arg_build_out }}"

SECURITY_PLUGINS_OPTS: "-Djava.security.auth.login.config=/etc/schema-registry/jaas_config.file"`

My schema-registry.properties:-

`Maintained by Ansible debug=False kafkastore.topic=_schemas access.control.allow.origin=*

Schema Registry Configuration listeners=http://0.0.0.0:8081 host.name=xxxx inter.instance.protocol=http

Kafka Broker Configuration kafkastore.bootstrap.servers=xxxx:9092 kafkastore.security.protocol=SASL_PLAINTEXT kafkastore.sasl.mechanism=PLAIN kafkastore.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="analytics" password="xxxxx";

authentication.method=BASIC authentication.roles=admin,readonly authentication.realm=SchemaRegistry-Props confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer`

My acls list:- Current ACL's for Subject Operations are {analytics={*=[SUBJECT_READ]}, dataeng={vi=[SUBJECT_COMPATIBILITY_WRITE], vi-value=[SUBJECT_COMPATIBILITY_WRITE], vi-key=[SUBJECT_COMPATIBILITY_WRITE]}, schema-admin={*=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE]}, readonly={vi=[SUBJECT_READ, SUBJECT_COMPATIBILITY_READ], vi-value=[SUBJECT_READ, SUBJECT_COMPATIBILITY_READ], vi-key=[SUBJECT_READ, SUBJECT_COMPATIBILITY_READ]}, admin-dataeng={vi=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE], vi-value=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE], vi-key=[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_COMPATIBILITY_READ, SUBJECT_COMPATIBILITY_WRITE]}} Current ACL's for Global Operations are {admin-dataeng=[GLOBAL_COMPATIBILITY_READ, GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ]}

My SASL users in ansible - 

`sasl_plain_users:
  dataeng:
    principal: dataeng
    password: zzzz
  readonly:
    principal: readonly
    password: yyyy
  analytics:
    principal: analytics
    password: xxxx`

My jaas config file:-

SchemaRegistry-Props { org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required file="/etc/schema-registry/passwd" debug="true"; };

I'm really stumped on how to proceed on this. Any help would be appreciated!

rayokota commented 4 years ago

You seem to be missing

resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension

from

https://docs.confluent.io/current/confluent-security-plugins/schema-registry/install.html#activate-the-plugins

masterlittle commented 4 years ago

I do not want to use the security plugin. I'm implementing the open source version of this and would like to integrate the security controls without any enterprise thing.

rayokota commented 4 years ago

The AclAuthorizer requires the security plugin.