1

I create a KafkaUser to access Kafka topic on cloud from external, its definition as following, I can use SSL mode to access this topic from external with port 9094.

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
  name: data-user
  namespace: abc
  labels:
    strimzi.io/cluster: data-cluster
spec:
  authentication:
    type: tls
  authorization:
    acls:
      - host: '*'
        operation: All
        resource:
          name: data-topic
          patternType: literal
          type: topic
        type: allow
      - host: '*'
        operation: All
        resource:
          name: data-group
          patternType: literal
          type: group
        type: allow
      - host: '*'
        operation: All
        resource:
          name: data-cluster
          patternType: literal
          type: cluster
        type: allow
    type: simple

Now inside cloud, I am going to use port 9092 to access this topic without any authentication and authorization, is it possible?

When I run consumer, it complains TOPIC_AUTHORIZATION_FAILED.

bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --group data-group --topic data-topic

[2021-03-06 19:54:22,689] WARN [Consumer clientId=consumer-data-group-1, groupId=data-group] Error while fetching metadata with correlation id 2 : {data-topic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2021-03-06 19:54:22,692] ERROR [Consumer clientId=consumer-data-group-1, groupId=data-group] Topic authorization failed for topics [data-topic] (org.apache.kafka.clients.Metadata)
[2021-03-06 19:54:22,696] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [osprey2-topic]
Processed a total of 0 messages

My question is, I want to access topic with port 9092 without any authorization, how to do it?

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
Joe
  • 623
  • 7
  • 16

1 Answers1

0

Kafka supports only cluster-wide authorization. So you can create multiple listeners with different or no authentication. But you can enable or disable authorization only once for the whole cluster. So it is not possible to have the internal listener without authorization. When the user connects over the listener without any authentication, it will be connected as the ANONYMOUS user and this user will be checked for ACLs as any other user and in case it does not have them it will nto be allowed to do anything.

You can work around this problem by using the Kafka Admin API and giving the ANONYMOUS user the rights for all actions you want to take from the 9092 port. However, it is definitely a bad practice from security perspective. You should instead use proper authentication on the 9092 interface as well and that will allow you to give users the right ACLs which they need. If you for some reason do not want to use SSL on the 9092 listener, you can still use for example SCRAM-SHA-512 authentication.

Jakub
  • 3,506
  • 12
  • 20
  • Since it is a SSL mode, so I have truststore and keystore in the client side, it worked for SSL when I use port 9094. But, when I use port 9092, even it don't do authentication, but for authorization, does client side (producer or consumer) still need truststore and keystore? – Joe Mar 07 '21 at 02:46
  • That all depends on how you configured the listener on port 9092. – Jakub Mar 07 '21 at 12:32