Die Adressen DOCKER und LOCALHOST über ACLs abgesichert

* Freifahrtschein für die Kommunikation über die BROKER-Adresse
* Realisiert über das Hinzufügen des Principals `User:ANONYMOUS` zu den
  `super.users` des Clusters -- dies funktioniert, da nur die Aufrufe, die
  über die BROKER-Adresse abgewickelt werden diesem Benutzer zugeordnet
  werden, da nur diese Adresse im `PLAINTEXT`-Modus betrieben wird.
* Für alle anderen Adressen hat der Principal einen abweichenden, über die
  _erfolgreiche Authorisierung_ vorgegebenen Principal.
* Wenn über diese Adressen _ohne erfolgreiche Authorisierung_ zugegriffen
  wird, werden die Zugriffe abgewährt!

diff --git a/README.sh b/README.sh
index 6e72cf5..55a00c1 100755 (executable)
--- a/README.sh
+++ b/README.sh
@@ -33,10 +33,43 @@ else
 fi
 
 docker-compose -f docker/docker-compose.yml up --remove-orphans setup || exit 1
-docker-compose -f docker/docker-compose.yml up -d producer consumer-1 consumer-2
-docker-compose -f docker/docker-compose.yml up -d cruise-control
 
+kafkacat -L -b :9092
 kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=PLAIN -Xsasl.username=client -Xsasl.password=client-secret
 
+# Nicht nötig, da `super.users=User:ANONYMOUS` gesetzt wurde
+# Ohne diesen Eintrag wären diverse ACLs nötig, bevor BROKER funktioniert!
+# docker-compose exec cli kafka-acls --authorizer-properties zookeeper.connect=zookeeper zookeeper:2181 --add --allow-principal User:ANONYMOUS --operation ALL --topic __CruiseControlMetrics --group=*
+
+# schema-registry
+docker-compose -f docker/docker-compose.yml exec cli kafka-acls \
+  --authorizer-properties zookeeper.connect=zookeeper \
+  --add \
+  --allow-principal User:schemaregistry \
+  --topic _schemas \
+  --consumer --group=schema-registry \
+  --producer
+docker-compose -f docker/docker-compose.yml exec cli kafka-acls \
+  --authorizer-properties zookeeper.connect=zookeeper \
+  --add \
+  --allow-principal User:schemaregistry \
+  --topic _schemas \
+  --operation=DescribeConfigs
+
+docker-compose -f docker/docker-compose.yml up -d schema-registry
+while [[ ! $(http :8085/subjects 2> /dev/null) ]]; do echo Waiting for schema-registry; sleep 1; done
 cat user-v1.schema|http POST http://localhost:8085/subjects/user/versions "Content-Type:application/vnd.schemaregistry.v1+json"
 http GET http://0:8085/subjects/user/versions/1/schema
+
+# kafka-connect
+docker-compose -f docker/docker-compose.yml exec cli kafka-acls \
+  --authorizer-properties zookeeper.connect=zookeeper \
+  --add \
+  --allow-principal User:connect \
+  --topic __connect \
+  --resource-pattern-type prefixed \
+  --consumer --group=kafka-connect \
+  --producer
+
+docker-compose -f docker/docker-compose.yml up -d connect
+while [[ ! $(http :8083/connectors 2> /dev/null) ]]; do echo Waiting for connect; sleep 1; done

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index e5082a8..c269dae 100644 (file)
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -22,7 +22,9 @@ services:
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
       KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false"
       KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
-      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true"
+      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false"
+      KAFKA_SUPER_USERS: User:ANONYMOUS
+      KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
       KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN
@@ -57,7 +59,9 @@ services:
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
       KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false"
       KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
-      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true"
+      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false"
+      KAFKA_SUPER_USERS: User:ANONYMOUS
+      KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
       KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN
@@ -97,7 +101,9 @@ services:
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
       KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false"
       KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
-      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true"
+      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false"
+      KAFKA_SUPER_USERS: User:ANONYMOUS
+      KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
       KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN
@@ -132,7 +138,9 @@ services:
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
       KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false"
       KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer
-      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true"
+      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false"
+      KAFKA_SUPER_USERS: User:ANONYMOUS
+      KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
       KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN