Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

MSK with SASL/SCRAM authentication. I can access the cluster but cant perform any action

0

Hi,

We're currently building an MSK cluster. We use 2 types of authentication for 2 different clients.

The IAM authentication works fine.

But for the SASL/SCRAM authentication that it's not the case, we created a secret for username/password connection and linked it to the MSK cluster.

Using our client or with a UI client for windows it's the same issue we have a connection but with limited functionalities (like creating a topic or reading one).

Please take a look at the error the UI clients returns :

Could not complete DescribeConfigs action: you can try to continue with limited functionality. ClusterAuthorizationException: Cluster authorization failed. Make sure that your user has all access rights (DescribeConsumerGroups, DescribeCluster, DescribeConfigs) for full functionality.

Also take a look at our AWS secret policy JSON file :

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "......",
    "Effect" : "Allow",
    "Principal" : {
      "Service" : "kafka.amazonaws.com"
    },
    "Action" : "secretsmanager:getSecretValue",
    "Resource" : "arn:aws:secretsmanager:eu-west-3...............Z"
  } ]
}

Do we need to modify the ACLs policies directly on the Kafka instance ? How?

Thanks

Argomenti
Sicurezza, identità e conformitàAnalisi
Tag
Sicurezza, identità e conformitàStreaming gestito da Amazon per Apache Kafka (Amazon MSK)Gestore AWS SecretsPolitiche IAM
Lingua
English
Boris
posta un mese fa140 visualizzazioni
1 Risposta
0

It seems like you've changed allow.everyone.if.no.acl.found to false.

If that's the case, then you won't have access with SCRAM auth method until you enable ACLs. So, you need to run kafka-acls command and add permissions to the user you use to read topics, or write...

For example, you will need to use a user that already has permissions to set up ACLs, alternatively, you can use unauthenticated method, or zookeeper instead of bootstrap servers, so authentication is not checked:

kafka/bin/kafka-acls.sh --bootstrap-server msk:9096 \
  --command-config adminclient-configs.conf \
  --add \
  --allow-principal User:boris \
  --allow-principal User:ed \
  --operation read \
  --operation write \
  --topic my-topic
AWS
EdbE
con risposta un mese fa
profile picture
ESPERTO
Osvaldo Marte
verificato un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente