Closed jrivers96 closed 4 years ago
I figured this out. I'm using the user operator and didn't realize that it removes acls done this way
kubectl -n ${NAMESPACE_NAME} exec -ti kafka-cluster-kafka-0 -- bin/kafka-acls.sh --group '*' --topic control --operation All --authorizer-properties zookeeper.connect=127.0.0.1:2181 --add --allow-principal User:service-account-data2kafka-client
I applied something like below to my namespace.
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: service-account-data2kafka-client
labels:
strimzi.io/cluster: kafka-cluster
spec:
authentication:
type: scram-sha-512
authorization:
type: simple
acls:
- resource:
type: topic
name: control
patternType: literal
operation: All
- resource:
type: group
name: 'examplegroup'
patternType: literal
operation: All
Yeah, using the KafkaUser resources is one way. Or if you don't want to, you can just disabel the whole User Operator in the Kafka CR and manage the users your self. Up to you.
I can't seem to figure out which user id is known to kafka when using the oauth plugin. What is the user id known by kafka when using oauth?
Also, is there any paid support/consulting for strimzi clusters?
Below are my current settings.
Keycloak realm { "clientId": "data2kafka-client", "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "REDACTED", "publicClient": false, "bearerOnly": false, "standardFlowEnabled": false, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": true, "consentRequired" : false, "fullScopeAllowed" : false, "attributes": { "access.token.lifespan": "32140800" } }
Setting ACLS:
Broker configs
Consumer/producer log
Error from the consumer/producer app