skip to Main Content

We’re currently building an MSK cluster. We use 2 types of authentication for 2 different clients.

The IAM authentication works fine.

But for the SASL/SCRAM authentication that it’s not the case, we created a secret for username/password connection and linked it to the MSK cluster.

Using our client or with a UI client for windows it’s the same issue we have a connection but with limited functionalities (like creating a topic or reading one).

Please take a look at the error the UI clients returns :

Could not complete DescribeConfigs action: you can try to continue with limited functionality. ClusterAuthorizationException: Cluster authorization failed. Make sure that your user has all access rights (DescribeConsumerGroups, DescribeCluster, DescribeConfigs) for full functionality.

Also take a look at our AWS secret policy JSON file :

  {
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "......",
    "Effect" : "Allow",
    "Principal" : {
      "Service" : "kafka.amazonaws.com"
    },
    "Action" : "secretsmanager:getSecretValue",
    "Resource" : "arn:aws:secretsmanager:eu-west-3...............Z"
  } ]
}

Do we need to modify the ACLs policies directly on the Kafka instance ? How?

2

Answers


  1. You have to set allow.everyone.if.no.acl.found to true in order to access the cluster without ACLs.

    If you need to set it to false, you can list current ACLs, and add new ones using the list-acls.sh command in Kafka CLI:

    https://jaceklaskowski.gitbooks.io/apache-kafka/content/kafka-tools-kafka-acls.html

    https://kafka.apache.org/documentation/#security_authz

    Login or Signup to reply.
  2. It seems like you’ve changed allow.everyone.if.no.acl.found to false.

    If that’s the case, then you won’t have access with SCRAM auth method until you enable ACLs. So, you need to run kafka-acls command and add permissions to the user you use to read topics, or write…

    For example, you will need to use a user that already has permissions to set up ACLs, alternatively, you can use unauthenticated method, or zookeeper instead of bootstrap servers, so authentication is not checked:

    kafka/bin/kafka-acls.sh --bootstrap-server msk:9096 
      --command-config adminclient-configs.conf 
      --add 
      --allow-principal User:boris 
      --allow-principal User:ed 
      --operation read 
      --operation write 
      --topic my-topic
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search