By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lack of Super Users with MSK Cluster using SASL/SCRAM and ACLs

1

My question: If MSK doesn't allow you to specify Super Users, is there a fault tolerant way to create ACLs to "mimic" a super user like the one specified in: https://repost.aws/questions/QUPLKdkgDPQ_uH8LaLhB8bew/how-to-create-a-super-user-on-msk

It seems fraught with accidental peril. If you start giving a SASL user access to cluster operations one at a time, you'll accidentally lock the Cluster's ACLs entirely.

kafka-acls.sh --bootstrap-server [broker hosts] --add --add-principal="User:my_super_user" --cluster --operation Describe

Oops! You'll violate the allow.everyone.if.no.acl.found rule. An ACL for the cluster will be found. It'll just only have the one operation. And since the super.users configuration property isn't supported. You're hosed. No matter how many SASL/SCRAM users you make, you've lost any ability to set or change any more ACLs...

This happened to me, because I wasn't sure if I specified ALL for the operation, I would suddenly run into trouble with blocking brokers (as that linked question answer indicates).

Is the only solution, in this case, to enable IAM, create an IAM policy that allows you to "do anything", update the ACLs, deactivate IAM?

R.I.P super users property if using SASL/SCRAM

Topics
Analytics
Tags
Amazon Managed Streaming for Apache Kafka (Amazon MSK)
Language
English
wspurgin
asked 2 years ago504 views
1 Answer
0

Hi,

I recommend to first create a "superuser" user that has access to all operations using --operation ALL instead of one at a time as described in linked post.

Another workaround apart from using IAM is to leverage zookeeper to verify acls and to create a super user like so:

bin/kafka-acls.sh -authorizer-properties zookeeper.connect=zkp:2181 --add --allow-principal "User:superuser" --operation ALL --topic '*' --cluster

AWS
Benita-AWS
answered 2 years ago
  • wspurgin
    2 years ago

    Thanks Benita, do you know if granting ALL actions (including then, the CLUSTER ACTIONS) has the affect of potentially "blocking brokers" as that linked question I mentioned seems to indicate? Or is that statement no longer true?

    I agree that granting ALL operations works... as long as the ACLs don't change for that User... However, that was part of my question. I'm asking how one could recover a cluster if the zookeeper ACLs on the cluster locked out all SASL users (since "super users" can't be defined in MSK)?

  • Benita-AWS
    2 years ago

    1/ I don't see a reason why adding ACLs on cluster actions will cause brokers to be blocked.

    2/ Using the zookeeper string to grant principals access will allow you to recover a cluster. Using zookeeper string does not require you to call the APIs as a SASL user. All you need is network access to the zookeeper endpoint.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content