We have a kafka cluster and are in the process of locking down the specific nodes based on these standards: https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/zookeeper-acls/content/zookeeper_acls_best_practices_kafka.html
Once we lock down the /broker/topics node with SASL:kafka:cdrwa, we are unable to use the kafka-topics.sh tool to create topics. We tried using these tools on the broker, which has the correct KafkaClient in the jaas file, but it appears zookeeper treats the cmd tools as a separate client. We are experiencing the same thing when locking down /kafka-acls and using the kafka-acls.sh tool.
How can we pass our jaas file in the command line tools?
UPDATE Here are the contents of the jaas file (passwords removed). Both the tools and the broker exist on the same machine. The broker is not having issue authenticating with zookeeper.
KafkaServer {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="---";
};
KafkaClient {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="controlcenter"
password="---";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="admin"
password="---";
};
Does simple environment setting not work?
$ export KAFKA_OPTS="-Djava.security.auth.login.config=<your_jaas.conf>"
$ kafka-topics --create ...