search

strimzi / strimzi-kafka-operator

Apache Kafka® running on Kubernetes
https://strimzi.io/
Apache License 2.0
4.78k stars 1.28k forks source link

[Question] KafkaUser ACLS with tls authentication #2832

Closed ludusrusso closed 4 years ago

ludusrusso commented 4 years ago

Hi, I'm having some issue with KafkaUser ACLS with tls authentication.

I've a kafka entity setup with external loadbalancer access with tls enabled:

    Listeners:
      External:
        Authentication:
          Type:  tls
        Tls:     true
        Type:    loadbalancer

I created a new KafkaUser as follow:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: user
  labels:
    strimzi.io/cluster: kafka
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: test
          patternType: literal
        operation: Write
        type: deny
        host: "*"

And I'm able to connect to the cluster with strimzi generated certificate according to #1930

However, if I try to publish on topic test the client is able to public messages without errors, while the acls specified in the kafkauser definition deny it.

I don't understand what I'm doing wrong.

scholzj commented 4 years ago

Have you enabled the authorization?The first YAML snippet just enabled authentication, but not authroization. So you might need to so something like this:

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
spec:
  kafka:
    # ...
    listeners:
      external:
        # ...
    authorization:
      type: simple
    # ...
  zookeeper:
    # ...

You can find more int he docs: https://strimzi.io/docs/latest/full.html#simple_authorization

ludusrusso commented 4 years ago

@scholzj thanks, I didn't enabled authorization!