Admin ClusterAuthorizationException

cs-jackb · 11 May 2021 17:03

Looking for suggestions regarding possible Cluster ACL issues. On our Confluent Cloud tenant, we have a service account with an associated API key that we are using with the Kafka tools. This service account has the following Cluster ACLs:

(principal=User:######, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
(principal=User:######, host=*, operation=ALTER_CONFIGS, permissionType=ALLOW)
(principal=User:######, host=*, operation=CLUSTER_ACTION, permissionType=ALLOW)
(principal=User:######, host=*, operation=ALTER, permissionType=ALLOW)
(principal=User:######, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:######, host=*, operation=CREATE, permissionType=ALLOW)
(principal=User:######, host=*, operation=IDEMPOTENT_WRITE, permissionType=ALLOW)

And has been granted the EnvironmentAdmin role for the environment and the CloudClusterAdmin role for the cluster. When using this key (or even my own key), the following command results in a ClusterAuthorizationException.

kafka-log-dirs.sh --bootstrap-server $BROKER --command-config /tmp/config.properties --describe --topic-list $TOPIC
Exception in thread "main" java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.
	at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
	at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
	at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
	at kafka.admin.LogDirsCommand$.describe(LogDirsCommand.scala:50)
	at kafka.admin.LogDirsCommand$.main(LogDirsCommand.scala:36)
	at kafka.admin.LogDirsCommand.main(LogDirsCommand.scala)
Caused by: org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.

Any thoughts as to what is missing to be able to use this portion of the Kafka Admin tools?

rick · 11 May 2021 18:16

@cs-jackb just to confirm, the config works for alternative admin tools, like kafka-topics ?

rick · 11 May 2021 18:36

@cs-jackb If I undestand correctly, and as you’ve observed, this command is not authorized to be executed against Confluent Cloud clusters. Some implementation details and cluster operations are not exposed with the service.

cs-jackb · 11 May 2021 18:41

That’s correct, @rick

cs-jackb · 11 May 2021 18:41

@rick - Do you happen to know if there’s a list of such operations that are not exposed?

rick · 11 May 2021 18:48

Sorry @cs-jackb, i’ve done some searching and cannot locate such a list. There is a lot of exciting work coming around REST APIs, which I believe is going to be the preferred mode of operation for control plane operations against Confluent Cloud. I hope we will see some exciting public information on that in the near future.

cs-jackb · 11 May 2021 18:50

Thanks for the response, @rick. It’s a shame these tools aren’t usable, but I look forward to learning more about these upcoming REST APIs.

rick · 11 May 2021 18:51

I understand. If you consider a fully managed service, especially the multi-tenant versions of it, some operations just don’t make sense. If I understand correctly, the log dirs details would be nonsensical in a fully managed multi-tenant version of Kafka.

Topic		Replies	Views
Programatically creating Kafka API Keys Confluent Cloud	7	2694	6 April 2022
Error Starting Control Center using Confluent Cloud Confluent Cloud	0	1622	9 June 2023
ClusterAuthorizationException with User:ANONYMOUS when setting up SASL with Kraft and ACL Containers	7	2257	24 October 2023
After enabling ACL's, replication factor errrors in cluster Ops	0	534	11 January 2024
I get error Authorization failed when I try to create a topic Confluent Cloud	1	4498	2 August 2022

Admin ClusterAuthorizationException

Related Topics