[Question] Create different users with different type of access

carloshn90 commented 4 years ago

I would like to know if will be possible create different users and asign different topics to each user.

I created two users through kafkauser:

First user:

authentication:
type: scram-sha-512
authorization:
acls:
  - operation: Read
    resource:
      name: first-topic-name
      patternType: literal
      type: topic
type: simple

Second user:

authentication:
type: scram-sha-512
authorization:
acls:
  - operation: All
    resource:
      name: first-topic-name
      patternType: literal
      type: topic
  - operation: All
    resource:
      name: second-topic-name
      patternType: literal
      type: topic
  - operation: All
    resource:
      name: third-topic-name
      patternType: literal
      type: topic
type: simple

kafka set up:

entityOperator:
topicOperator: {}
userOperator: {}
kafka:
config:
  log.retention.hours: 24
  offsets.topic.replication.factor: 1
  transaction.state.log.min.isr: 1
  transaction.state.log.replication.factor: 1
listeners:
  external:
    authentication:
      type: scram-sha-512
    overrides:
      bootstrap:
        host: >-
          cluster-url
      brokers:
        - broker: 0
          url-broker
    tls: true
    type: route
metrics: {}
replicas: 1
storage:
  type: ephemeral
zookeeper:
replicas: 1
storage:
  type: ephemeral

The problem here it is that I can access to all the topics using both users, describe them and send messages.

I'm using the following properties to connect:

ssl.endpoint.identification.algorithm=
ssl.truststore.location=cluster-crt
ssl.truststore.password=password
bootstrap.servers=cluster-url
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="user-name" password="user-password";
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512

Is it possible to use Acls to have different users with different levels of access topics?
Is it necessary to set up something else in the cluster to use Acls apart of the kafkauser?

scholzj commented 4 years ago

The KafkaUser CRs look good at a quick glance. But in the Kafka CR, you do not enable authorization, so the ACLs you configure in the KafkaUser resources are not enforced. You will need to add the authorization:

authorization:
  type: simple

For example:

  entityOperator:
    topicOperator: {}
    userOperator: {}
  kafka:
    config:
      log.retention.hours: 24
      offsets.topic.replication.factor: 1
      transaction.state.log.min.isr: 1
      transaction.state.log.replication.factor: 1
    listeners:
      external:
        authentication:
          type: scram-sha-512
        overrides:
          bootstrap:
            host: >-
              cluster-url
          brokers:
            - broker: 0
              url-broker
        tls: true
        type: route
    authorization:
      type: simple
    metrics: {}
    replicas: 1
    storage:
      type: ephemeral
  zookeeper:
    replicas: 1
    storage:
      type: ephemeral

carloshn90 commented 4 years ago

Thank you @scholzj! you are totally correct I forgot to add the authorization into the kafka configuration. Sorry for this silly question!

scholzj commented 4 years ago

No worries.

strimzi / strimzi-kafka-operator

[Question] Create different users with different type of access #2240