1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
0
Hi,
I recommend to first create a "superuser" user that has access to all operations using --operation ALL
instead of one at a time as described in linked post.
Another workaround apart from using IAM is to leverage zookeeper to verify acls and to create a super user like so:
bin/kafka-acls.sh -authorizer-properties zookeeper.connect=zkp:2181 --add --allow-principal "User:superuser" --operation ALL --topic '*' --cluster
con risposta 2 anni fa
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa
Thanks Benita, do you know if granting
ALL
actions (including then, theCLUSTER ACTIONS
) has the affect of potentially "blocking brokers" as that linked question I mentioned seems to indicate? Or is that statement no longer true?I agree that granting
ALL
operations works... as long as the ACLs don't change for that User... However, that was part of my question. I'm asking how one could recover a cluster if the zookeeper ACLs on the cluster locked out all SASL users (since "super users" can't be defined in MSK)?1/ I don't see a reason why adding ACLs on cluster actions will cause brokers to be blocked.
2/ Using the zookeeper string to grant principals access will allow you to recover a cluster. Using zookeeper string does not require you to call the APIs as a SASL user. All you need is network access to the zookeeper endpoint.