主题授权异常 [英] TopicAuthorizationException
问题描述
我创建了一个KafkaUser从外部访问云上的Kafka主题,其定义如下,我可以使用SSL模式从外部使用端口9094访问这个主题.
I create a KafkaUser to access Kafka topic on cloud from external, its definition as following, I can use SSL mode to access this topic from external with port 9094.
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
name: data-user
namespace: abc
labels:
strimzi.io/cluster: data-cluster
spec:
authentication:
type: tls
authorization:
acls:
- host: '*'
operation: All
resource:
name: data-topic
patternType: literal
type: topic
type: allow
- host: '*'
operation: All
resource:
name: data-group
patternType: literal
type: group
type: allow
- host: '*'
operation: All
resource:
name: data-cluster
patternType: literal
type: cluster
type: allow
type: simple
现在在云里面,我要使用9092端口访问这个topic,不需要任何认证和授权,可以吗?
Now inside cloud, I am going to use port 9092 to access this topic without any authentication and authorization, is it possible?
当我运行消费者时,它抱怨 TOPIC_AUTHORIZATION_FAILED.
When I run consumer, it complains TOPIC_AUTHORIZATION_FAILED.
bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --group data-group --topic data-topic
[2021-03-06 19:54:22,689] WARN [Consumer clientId=consumer-data-group-1, groupId=data-group] Error while fetching metadata with correlation id 2 : {data-topic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2021-03-06 19:54:22,692] ERROR [Consumer clientId=consumer-data-group-1, groupId=data-group] Topic authorization failed for topics [data-topic] (org.apache.kafka.clients.Metadata)
[2021-03-06 19:54:22,696] ERROR Error processing message, terminating consumer process: (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [osprey2-topic]
Processed a total of 0 messages
我的问题是,我想在没有任何授权的情况下访问 9092 端口的主题,该怎么做?
My question is, I want to access topic with port 9092 without any authorization, how to do it?
推荐答案
Kafka 仅支持集群范围的授权.因此,您可以创建多个具有不同身份验证或无身份验证的侦听器.但是您只能为整个集群启用或禁用授权一次.所以在没有授权的情况下是不可能有内部侦听器的.当用户在没有任何身份验证的情况下通过侦听器连接时,它将作为 ANONYMOUS 用户连接,并且该用户将像任何其他用户一样检查 ACL,如果它没有它们,它将不会被允许做任何事情.
Kafka supports only cluster-wide authorization. So you can create multiple listeners with different or no authentication. But you can enable or disable authorization only once for the whole cluster. So it is not possible to have the internal listener without authorization. When the user connects over the listener without any authentication, it will be connected as the ANONYMOUS user and this user will be checked for ACLs as any other user and in case it does not have them it will nto be allowed to do anything.
您可以通过使用 Kafka Admin API 并为 ANONYMOUS 用户授予您想要从 9092 端口执行的所有操作的权限来解决此问题.但是,从安全的角度来看,这绝对是一种不好的做法.您也应该在 9092 接口上使用正确的身份验证,这将允许您为用户提供他们需要的正确 ACL.如果您出于某种原因不想在 9092 侦听器上使用 SSL,您仍然可以使用例如 SCRAM-SHA-512 身份验证.
You can work around this problem by using the Kafka Admin API and giving the ANONYMOUS user the rights for all actions you want to take from the 9092 port. However, it is definitely a bad practice from security perspective. You should instead use proper authentication on the 9092 interface as well and that will allow you to give users the right ACLs which they need. If you for some reason do not want to use SSL on the 9092 listener, you can still use for example SCRAM-SHA-512 authentication.
这篇关于主题授权异常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
