Admin ClusterAuthorizationException

cs-jackb · 11 May 2021 17:03

Looking for suggestions regarding possible Cluster ACL issues. On our Confluent Cloud tenant, we have a service account with an associated API key that we are using with the Kafka tools. This service account has the following Cluster ACLs:

(principal=User:######, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
(principal=User:######, host=*, operation=ALTER_CONFIGS, permissionType=ALLOW)
(principal=User:######, host=*, operation=CLUSTER_ACTION, permissionType=ALLOW)
(principal=User:######, host=*, operation=ALTER, permissionType=ALLOW)
(principal=User:######, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:######, host=*, operation=CREATE, permissionType=ALLOW)
(principal=User:######, host=*, operation=IDEMPOTENT_WRITE, permissionType=ALLOW)

And has been granted the EnvironmentAdmin role for the environment and the CloudClusterAdmin role for the cluster. When using this key (or even my own key), the following command results in a ClusterAuthorizationException.

kafka-log-dirs.sh --bootstrap-server $BROKER --command-config /tmp/config.properties --describe --topic-list $TOPIC
Exception in thread "main" java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.
	at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
	at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
	at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
	at kafka.admin.LogDirsCommand$.describe(LogDirsCommand.scala:50)
	at kafka.admin.LogDirsCommand$.main(LogDirsCommand.scala:36)
	at kafka.admin.LogDirsCommand.main(LogDirsCommand.scala)
Caused by: org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.

Any thoughts as to what is missing to be able to use this portion of the Kafka Admin tools?

rick · 11 May 2021 18:16

@cs-jackb just to confirm, the config works for alternative admin tools, like kafka-topics ?

rick · 11 May 2021 18:36

@cs-jackb If I undestand correctly, and as you’ve observed, this command is not authorized to be executed against Confluent Cloud clusters. Some implementation details and cluster operations are not exposed with the service.

cs-jackb · 11 May 2021 18:41

That’s correct, @rick

cs-jackb · 11 May 2021 18:41

@rick - Do you happen to know if there’s a list of such operations that are not exposed?

rick · 11 May 2021 18:48

Sorry @cs-jackb, i’ve done some searching and cannot locate such a list. There is a lot of exciting work coming around REST APIs, which I believe is going to be the preferred mode of operation for control plane operations against Confluent Cloud. I hope we will see some exciting public information on that in the near future.

cs-jackb · 11 May 2021 18:50

Thanks for the response, @rick. It’s a shame these tools aren’t usable, but I look forward to learning more about these upcoming REST APIs.

rick · 11 May 2021 18:51

I understand. If you consider a fully managed service, especially the multi-tenant versions of it, some operations just don’t make sense. If I understand correctly, the log dirs details would be nonsensical in a fully managed multi-tenant version of Kafka.

Topic		Replies	Views
RBAC - ClusterAuthorizationException Ops	5	3961	19 May 2021
GroupAuthorizationException while all ACLs are done Kafka Streams	1	2822	13 September 2023
Programatically creating Kafka API Keys Confluent Cloud	7	3061	6 April 2022
Error Starting Control Center using Confluent Cloud Confluent Cloud	0	2129	9 June 2023
Error in the docs for service account connector acl's? Kafka Connect	1	3679	5 February 2022

Admin ClusterAuthorizationException

Related topics