0
./bin/kafka-console-producer.sh --broker-list 10.162.0.6:32294 --topic my-topic
./bin/kafka-console-consumer.sh --bootstrap-server 10.162.0.6:32294 --topic my-topic --from-beginning

Am new to kafka. My kafka running on strimzi kubernetes operator deployed with Helm.

I created a topic called my-topic & am executing above 2 commands in two separate terminals. Whatever I type messages for a producer, I see them in response to the above consumer command!

Now I created 2 users, usera & userb with ACL, usera ACL is completely blocked to access topic another user userb has full ACL access to access Topic: my-topic.

To test that ACL i.e. if I run producer & consumer with usera then permission denied should show & if I run producer & consumer with another userb then should be able to access topic.

But Wanna know how to execute the above commands for a user?

or please suggest how to test the scenario.

sudhir tatraju
  • 93
  • 1
  • 7

1 Answers1

0

It would depend on the type of authentication you set in your Kafka deployment (using TLS client authentication or SCRAM-SHA) and I assume you are using the User Operator for creating users (KafkaUser resource). In the first case, you have to extract the keystore and related password from the Secret that the User Operator creates when you create a new KafkaUser; you can use this keystore to configure a properties file (with ssl.keystore.location and ssl.keystore.password) that than you can pass to the producer via --producer.config option or to the consumer via --consumer.config option. Of course, if TLS client authentication is enabled it means you have TLS in place so you need to extract the truststore and related password from the Secret containing the cluster CA cert for your cluster (more here https://strimzi.io/docs/master/#configuring-external-clients-to-trust-cluster-ca-str). You can then use it to configure ssl.truststore.location and ssl.truststore.password in the same property file. If you are using SCRAM-SHA you have to extract username and password from the KafkaUser related Secret and configuring the JAAS property in the above properties file.

ppatierno
  • 9,431
  • 1
  • 30
  • 45
  • Am new to Strimzi & Kafka aswell ! in your above comment do you mean the producer.config/consumer.confg I need to copy every time into pod? also following above suggestion am stuck at enabling ACL's so I created another question with full description here : https://stackoverflow.com/questions/61039388/strimzi-operator-kafka-cluster-acl-not-enabling-with-type-simple please have a look and suggest, your experience/knowledge can save me. – sudhir tatraju Apr 05 '20 at 07:36
  • Jakub already answered on that question. Anyway, wherever you are running the producer and consumer you need the config files for them with the right configuration. – ppatierno Apr 05 '20 at 15:42
  • yes my deep gratitude to Jakub ! yes now ACL enabled so even though in ACLs full access is there to consume messages getting user authorization errors so to authorize user now need to authenticate user using producer.config & consumer.config but am not getting how to configure values inside those files present in config folder of kafka as we have only view access inside pod at /opt/kafka although we have write access to /tmp coping producer.config & consumer.config to /tmp and running producer.sh or consumer.sh failing, so could you tel how shall I create files inside strimzi kafka pod pls? – sudhir tatraju Apr 05 '20 at 17:51
  • what's your Kafka custom resource? It seems that from the examples above your are accessing using some nodeport (I see port number like 32294) so outside the Kafka pods not inside the cluster. Anyway, if you want to run them from inside a pod in the cluster you should load the properties file maybe maybe through a ConfigMap mounted as a volume. – ppatierno Apr 06 '20 at 05:45