Hi @rick / Team,
We have implemented a RBAC authorization along with LDAP authorizer,
If we assign a “DeveloperWrite” role to a user(john), User is not able to describe a topic and getting below exception. Can you please help here?
Do we have to explicitly grant “describe” permission to user? Is there anyway to restrict specific operations/permission while creating rolebindings?
Note: john is able to produce a data for topic “test”, but he is not able describe a topic.
Confluent Version: 5.5
Permission(john)
Principal | Role | ResourceType | Name | PatternType
±---------------------±---------------±-------------±------------------±------------+
Group:kafkadeveloper | DeveloperRead | Group | console-consumer- | PREFIXED
Group:kafkadeveloper | DeveloperRead | Topic | test | PREFIXED
Group:kafkadeveloper | DeveloperWrite | Topic | test | PREFIXED
Error:
ERROR [KafkaApi-0] Error when handling request: clientId=adminclient-1, correlationId=6, api=LIST_PARTITION_REASSIGNMENTS, version=0, body={timeout_ms=30000,topics=null,_tagged_fields={}} (kafka.server.KafkaApis)
org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=4, connectionId=<HOST_IP>:9092-<HOST_IP>:50164-248, session=Session(User:john,/<HOST_IP>), listenerName=ListenerName(SASL_PLAINTEXT), securityProtocol=SASL_PLAINTEXT, buffer=null) is not authorized.
@kumartg can you describe the command you are executing in attempting to describe the topic as the user?
Hello @rick
Please find below command and configuration details. Even after enabling RBAC authorization, all the users are able to fetch topic metadata using “zookeeper” connection string, How do we restrict it and get topic metadata only for authorized users?
Command:
[WORKING]
$ kafka-topics --describe --zookeeper <BROKER_IP>:2181 --topic test
[NOT WORKING - Throws Exception]
$ kafka-topics --describe --topic test --bootstrap-server <BROKER_IP>:9092 --command-config producer.properties
ERROR [KafkaApi-0] Error when handling request: clientId=adminclient-1, correlationId=6, api=LIST_PARTITION_REASSIGNMENTS, version=0, body={timeout_ms=30000,topics=null,_tagged_fields={}} (kafka.server.KafkaApis)
org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=4, connectionId=<HOST_IP>:9092-<HOST_IP>:50164-248, session=Session(User:john,/<HOST_IP>), listenerName=ListenerName(SASL_PLAINTEXT), securityProtocol=SASL_PLAINTEXT, buffer=null) is not authorized.
$ cat producer.properties
sasl.mechanism=PLAIN
security.protocol=SASL_PLAINTEXT
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username=“john” password=“xxxxx”;
Sample Kafka sever configuration:
listeners=TOKEN://<BROKER_IP>:50010,SASL_PLAINTEXT://<BROKER_IP>:9092
advertised.listeners=TOKEN://<BROKER_IP>:50010,SASL_PLAINTEXT://<BROKER_IP>:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=SCRAM-SHA-256,PLAIN
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
listener.name.sasl_plaintext.scram-sha-256.sasl.jaas.config=
org.apache.kafka.common.security.scram.ScramLoginModule required
username=“kafka”
password=“xxxx”;
listener.name.sasl_plaintext.sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required;
listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
@kumartg since you are using RBAC can you open a support ticket and get help that way? The support team is great and I’m not certain how to resolve this issue.
Thanks @rick for your support.
@rmoff - Can you please help here?
For restricting zookeeper you will have to implement zookeeper ACLs. Zookeeper ACL are not part of RBAC. I think for describing the topic they will need developerRead.