Not able to produce after setting up ACL in kafka

Question

I am using wurstmeister kafka and zookeeper docker images in my local to test SASL and ACL in kafka.

My docker-compose.yml is -

version: '3'

services:
  zookeeper:
    image: wurstmeister/zookeeper
    hostname: zookeeper
    container_name: zookeeper
    volumes:
    - ./zookeeper/zookeeper.sasl.jaas.config:/etc/kafka/zookeeper_server_jaas.conf
    - ./zk/data:/var/lib/zookeeper/data
    environment:
      ZOOKEEPER_CLIENT_PORT: 2181
      ZOOKEEPER_TICK_TIME: 2000
      ZOOKEEPER_SET_ACL: 'true'
      KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/zookeeper_server_jaas.conf
          -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
          -Dzookeeper.allowSaslFailedClients=false
          -Dzookeeper.requireClientAuthScheme=sasl

  broker:
    image: wurstmeister/kafka:2.13-2.6.0
    hostname: broker
    container_name: broker
    depends_on:
      - zookeeper
    ports:
      - "9092:9092"
    volumes:
      - ./kafka/kafka.jaas.conf:/etc/kafka/kafka_server_jaas.conf
      - ./kfk/data:/kafka
    environment:
      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: EXTERNAL:SASL_PLAINTEXT
      KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
      KAFKA_AUTO_CREATE_TOPIC: 'true'
      KAFKA_LISTENERS: EXTERNAL://:9092
      KAFKA_ADVERTISED_LISTENERS: EXTERNAL://localhost:9092
      KAFKA_ADVERTISED_PORT: 9092
      KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
      KAFKA_LISTENER_NAME_EXTERNAL_SASL_ENABLED_MECHANISMS: PLAIN
      KAFKA_LISTENER_NAME_EXTERNAL_PLAIN_SASL_JAAS_CONFIG: |
            org.apache.kafka.common.security.plain.PlainLoginModule required \
            username="broker" \
            password="broker" \
            user_broker="broker" \
            user_client="client-secret" \
            user_alice="alice-secret";
      KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
      KAFKA_INTER_BROKER_LISTENER_NAME: EXTERNAL

And following are the jaas files for zookeeper and kafka -

zookeeper.sasl.jaas.config -

Server {
   org.apache.zookeeper.server.auth.DigestLoginModule required
   user_kafka="kafka";
};

kafka.jaas.config -

Client {
   org.apache.zookeeper.server.auth.DigestLoginModule required
   username="kafka"
   password="kafka";
};

I created zookeeper and kafka containers and ran the command within kafka container -

/opt/kafka_2.13-2.6.0/bin # ./kafka-acls.sh --authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:alice --producer --topic testtopic
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=testtopic, patternType=LITERAL)`: 
    (principal=User:alice, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:alice, host=*, operation=WRITE, permissionType=ALLOW)
    (principal=User:alice, host=*, operation=CREATE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=testtopic, patternType=LITERAL)`: 
    (principal=User:alice, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:alice, host=*, operation=WRITE, permissionType=ALLOW)
    (principal=User:alice, host=*, operation=CREATE, permissionType=ALLOW) 

But when I try to produce event from my go code (using sarama) - it gives error

kafka server: In the middle of a leadership election, there is currently no leader for this partition and hence it is unavailable for writes.

My go code is -

package main

import "github.com/Shopify/sarama"

var brokers = []string{"127.0.0.1:9092"}

func newProducer() (sarama.SyncProducer, error) {
    config := sarama.NewConfig()
    config.Producer.Partitioner = sarama.NewRandomPartitioner
    config.Producer.RequiredAcks = sarama.WaitForAll
    config.Producer.Return.Successes = true
    config.Net.SASL.User = "alice"
    config.Net.SASL.Password = "alice-secret"
    config.Net.SASL.Handshake = true
    config.Net.SASL.Enable = true
    producer, err := sarama.NewSyncProducer(brokers, config)

    return producer, err
}

func prepareMessage(topic, message string) *sarama.ProducerMessage {
    msg := &sarama.ProducerMessage{
        Topic:     topic,
        Partition: -1,
        Value:     sarama.StringEncoder(message),
    }

    return msg
}

func panicOnError(err error) {
    if err != nil {
        panic(err)
    }
}

func main() {
    producer, err := newProducer()
    panicOnError(err)
    msg := prepareMessage("testtopic", `{"key":"value"}`)
    _, _, err = producer.SendMessage(msg)
    panicOnError(err)
}

I tried kafka-acls.sh with --bootstrap-server (command - ./kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:alice --producer --topic testtopic) argument also but then the script would get stuck and I can observer authentication error in kafka docker logs -

[2021-05-29 16:27:46,288] INFO [SocketServer brokerId=1002] Failed authentication with /127.0.0.1 (Unexpected Kafka request of type METADATA during SASL handshake.) (org.apache.kafka.common.network.Selector)

PS: all things are working fine if I use SASL only (without ACL)

Now I am stuck at the acl part. Anyone has ideas what I am missing (probably in zookeeper or kafka config) ?

Any help is appreciated. Thanks in advance.

Answer 1

For your first issue I would try the following suggestions https://github.com/Shopify/sarama/issues/272

For the second issue you should add to the command line --command-config /path/cmd.cfg

Indicating the admin client properties to connect your broker , like mechainsem SASL and more...

KAFKA_OPTS setting the jaas file

And the jaas file should contain KafkaClient with user , password to connect to your broker with PLAIN authentication method