Here are the ACLs to provide for __consumer_offsets

linkedin / Burrow

Kafka Consumer Lag Checking

Apache License 2.0

3.76k stars 800 forks source link

Here are the ACLs to provide for __consumer_offsets #378

Open cl0udgeek opened 6 years ago

cl0udgeek commented 6 years ago

I spent quite a bit of time figuring this one out but here is the ACL you need to grant for Burrow to work on...

exmaple

kafka-acls --authorizer-properties zookeeper.connect=zk01.com:2181/cluster1 --add --allow-principal "User:CN=aaaa,OU=aaa,O=aaa,L=aaa,ST=aaa,C=US" --allow-host "*" --operation Describe --topic __consumer_offsets --group=*

remember to put your own DN from your SSL cert in the User: part

hope this helps future people!

cl0udgeek commented 6 years ago

looks like you also need this:

kafka-acls --authorizer-properties zookeeper.connect=zk01.com:2181/cluster1 --add --allow-principal "User:CN=aaaa,OU=aaa,O=aaa,L=aaa,ST=aaa,C=US" --allow-host "*" --consumer --topic "*" --group=*

chasse-code commented 6 years ago

@k1ng87 can you break down what you think the reasoning is for the second ACL. The first ACL i get, you need to grant describe on the consumer offset topic to your burrow user. but the second one seems a little bit more open than I would like.

Learnfr commented 5 years ago

For me burrow works with that acl:

./kafka-acls.sh --authorizer-properties zookeeper.connect=zookeeper_hostname:2181 --add --allow-principal "User:burrow" --topic "*" --operation Describe
./kafka-acls.sh --authorizer-properties zookeeper.connect=zookeeper_hostname:2181 --add --allow-principal "User:burrow" --topic "*" --operation Read After that you have to restart burrow service