2

Our Confluent Kafka is installed on AWS EC2. We are using SASL/SSL security protocol and LDAP for user authentication.

The following exception occurs when trying to create a topic:

ERROR [KafkaApi-0] Error when handling request: clientId=2, correlationId=0, api=UPDATE_METADATA, body={controller_id=2,controller_epoch=1,broker_epoch=8589934650,topic_states=[],live_brokers=[{id=2,end_points=[{port=9092,host=dfdp-080060041.dfdp.com,listener_name=PLAINTEXT,security_protocol_type=0},{port=9093,host=dfdp-080060041.dfdp.com,listener_name=SASL_SSL,security_protocol_type=3}],rack=null},{id=1,end_points=[{port=9092,host=dfdp-080060025.dfdp.com,listener_name=PLAINTEXT,security_protocol_type=0},{port=9093,host=dfdp-080060025.dfdp.com,listener_name=SASL_SSL,security_protocol_type=3}],rack=null},{id=0,end_points=[{port=9092,host=dfdp-080060013.dfdp.com,listener_name=PLAINTEXT,security_protocol_type=0},{port=9093,host=dfdp-080060013.dfdp.com,listener_name=SASL_SSL,security_protocol_type=3}],rack=null}]} (kafka.server.KafkaApis)
org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=3, connectionId=10.80.60.13:9093-10.80.60.41:53554-0, session=Session(User:$BEB000-DRJTO9PK3C7L,dfdp-080060041.dfdp.com/10.80.60.41), listenerName=ListenerName(SASL_SSL), securityProtocol=SASL_SSL, buffer=null) is not authorized
mazaneicha
  • 8,794
  • 4
  • 33
  • 52
Aniket Saha
  • 21
  • 1
  • 4
  • btw, "Confluent Kafka" is not a thing.. All documentation says "Confluent Platform" – OneCricketeer Mar 10 '20 at 12:41
  • 1
    @aniket-saha Have you setup Kafka ACLs? https://docs.confluent.io/current/kafka/authorization.html What is effective ACL for the user that "is not authorized"? – mazaneicha Mar 10 '20 at 14:20
  • @cricket-007 I guess existence of "confluent-kafka" tag in SO legalizes the use of the term :) – mazaneicha Mar 10 '20 at 14:24
  • @mazaneicha we are trying to create topic using root user.....yes, we have set up kafka ACLs....... # ACL properties authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer – Aniket Saha Mar 11 '20 at 10:29
  • Local root on some node has no special meaning to Kafka with SASL_SSL security. And your error says that broker attempts to authorize user `User:$BEB000-DRJTO9PK3C7L,dfdp-080060041.dfdp.com/10.80.60.41` (this is in user,hostname/hostIP format). So maybe you forgot to `kinit` if you're using Kerberos for SASL? – mazaneicha Mar 11 '20 at 12:55
  • @mazaneicha we are using keytab for user authorization. – Aniket Saha Mar 16 '20 at 06:19
  • @aniket-saha Keytab is used for **authentication** via Kerberos, not for **authorization**. As you confirmed, **authorization** in your case is done via Kafka ACLs, i.e. Kafka brokers apply ACL rules based on client identity. Your error shows that client identity is `$BEB000-DRJTO9PK3C7L` which looks like a local (windows?) machine account, not part of Kerberos realm. – mazaneicha Mar 16 '20 at 12:27

1 Answers1

0

ClusterAuthorizationFailed may indicate that your client is configured to attempt an operation that it doesn't have permission to do from the server.

Namely, allow.auto.create.topics and enable.idempotence are both set to true by default, and the server can be configured to disallow those, leading you to an extremely misleading error message of ClusterAuthorizationFailed.

This page in the docs may help you find other settings that could lead to you getting that error:

https://kafka.apache.org/documentation/#operations_resources_and_protocols

ArtOfWarfare
  • 20,617
  • 19
  • 137
  • 193