AuthorizerNotReadyException in Kafka ACL when using KRaft with multiple controllers

sudhanshuShukla · 22 January 2025 14:05

Hi,

I am trying to configure ACL in Kafka using KRaft with multiple controllers and brokers. But I am getting org.apache.kafka.common.errors.AuthorizerNotReadyException.

Below is the full error:

kafka-controller-1-1  | org.apache.kafka.common.errors.AuthorizerNotReadyException
kafka-controller-0-1  | [2025-01-22 13:42:40,114] ERROR [RaftManager id=4000] Unexpected error UNKNOWN_SERVER_ERROR in VOTE response: InboundResponse(correlationId=95, data=VoteResponseData(errorCode=-1, topics=[], nodeEndpoints=[]), source=kafka-controller-1:5090 (id: 5000 rack: null)) (org.apache.kafka.raft.KafkaRaftClient)
kafka-controller-0-1  | [2025-01-22 13:42:40,133] ERROR [ControllerApis nodeId=4000] Unexpected error handling request RequestHeader(apiKey=VOTE, apiVersion=1, clientId=raft-client-5000, correlationId=108, headerVersion=2) -- VoteRequestData(clusterId='5L6g3nShT-eMCtK--X86sw', voterId=4000, topics=[TopicData(topicName='__cluster_metadata', partitions=[PartitionData(partitionIndex=0, candidateEpoch=3, candidateId=5000, candidateDirectoryId=5gPetN-9GnVTYp4tYQZkiw, voterDirectoryId=AAAAAAAAAAAAAAAAAAAAAA, lastOffsetEpoch=0, lastOffset=0)])]) with context RequestContext(header=RequestHeader(apiKey=VOTE, apiVersion=1, clientId=raft-client-5000, correlationId=108, headerVersion=2), connectionId='172.27.0.3:4090-172.27.0.2:41004-0', clientAddress=/172.27.0.2, principal=User:ANONYMOUS, listenerName=ListenerName(CONTROLLER), securityProtocol=PLAINTEXT, clientInformation=ClientInformation(softwareName=apache-kafka-java, softwareVersion=3.9.0), fromPrivilegedListener=true, principalSerde=Optional[org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder@37fa3218]) (kafka.server.ControllerApis)

Below is my full docker config:

version: '1'

x-kafka_controller:
  &kafka_controller-env
  KAFKA_PROCESS_ROLES: controller
  KAFKA_CONTROLLER_QUORUM_VOTERS: 4000@kafka-controller-0:4090,5000@kafka-controller-1:5090
  KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT
  KAFKA_INTER_BROKER_LISTENER_NAME: CONTROLLER
  KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER
  KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
  KAFKA_AUTO_LEADER_REBALANCE_ENABLE: true
  KAFKA_UNCLEAN_LEADER_ELECTION_ENABLE: false
  KAFKA_REPLICATION_QUOTA_WINDOW_NUM: 11
  KAFKA_REPLICATION_QUOTA_WINDOW_SIZE_SECONDS: 1

  # ACL Config
  KAFKA_AUTHORIZER_CLASS_NAME: org.apache.kafka.metadata.authorizer.StandardAuthorizer
  KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: false
  KAFKA_SUPER_USERS: User:admin

x-kafka_broker:
  &kafka_broker-env
  KAFKA_PROCESS_ROLES: broker
  KAFKA_CONTROLLER_QUORUM_VOTERS: 4000@kafka-controller-0:4090,5000@kafka-controller-1:5090
  KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:SASL_SSL,CONTROLLER:PLAINTEXT,INTERNAL:PLAINTEXT
  KAFKA_INTER_BROKER_LISTENER_NAME: BROKER
  KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER
  KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
  KAFKA_AUTO_LEADER_REBALANCE_ENABLE: true
  KAFKA_UNCLEAN_LEADER_ELECTION_ENABLE: false
  KAFKA_REPLICATION_QUOTA_WINDOW_NUM: 11
  KAFKA_REPLICATION_QUOTA_WINDOW_SIZE_SECONDS: 1

  # SASL Config
  KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
  KAFKA_SASL_MECHANISM_CONTROLLER_PROTOCOL: PLAIN  
  KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
  KAFKA_LISTENER_NAME_BROKER_PLAIN_SASL_JAAS_CONFIG: org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin" user_user01="test";

  # SSL Config
  KAFKA_SSL_KEYSTORE_LOCATION: /var/private/ssl/keystore/KafkaBrokerKeystore.jks
  KAFKA_SSL_KEYSTORE_PASSWORD: yourSSLKeyStorePassword
  KAFKA_SSL_KEY_PASSWORD: yourSSLKeyPassword
  KAFKA_SSL_TRUSTSTORE_LOCATION: /var/private/ssl/truststore/KafkaBrokerTruststore.jks
  KAFKA_SSL_TRUSTSTORE_PASSWORD: yourSSLTrustorePassword
  KAFKA_SSL_CLIENT_AUTH: required

  # ACL Config
  KAFKA_AUTHORIZER_CLASS_NAME: org.apache.kafka.metadata.authorizer.StandardAuthorizer
  KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: false
  KAFKA_SUPER_USERS: User:admin

services:
  kafka-controller-0:
    image: ${KAFKA_IMAGE}
    ports:
      - 4090:4090

    environment:
      <<: *kafka_controller-env
      KAFKA_NODE_ID: 4000
      KAFKA_LISTENERS: CONTROLLER://:4090

  kafka-controller-1:
    image: ${KAFKA_IMAGE}
    ports:
      - 5090:5090

    environment:
      <<: *kafka_controller-env
      KAFKA_NODE_ID: 5000
      KAFKA_LISTENERS: CONTROLLER://:5090

  kafka-broker-0:
    image: ${KAFKA_IMAGE}
    ports:
      - 1090:1090

    volumes:
      - ./KafkaBrokerKeystore.jks:/var/private/ssl/keystore/KafkaBrokerKeystore.jks
      - ./KafkaBrokerTruststore.jks:/var/private/ssl/truststore/KafkaBrokerTruststore.jks

    environment:
      <<: *kafka_broker-env    
      KAFKA_NODE_ID: 1000
      KAFKA_LISTENERS: BROKER://:1090,INTERNAL://:1092
      KAFKA_ADVERTISED_LISTENERS: BROKER://localhost:1090,INTERNAL://kafka-broker-0:1092

  kafka-broker-1:
    image: ${KAFKA_IMAGE}
    ports:
      - 2090:2090

    volumes:
      - ./KafkaBrokerKeystore.jks:/var/private/ssl/keystore/KafkaBrokerKeystore.jks
      - ./KafkaBrokerTruststore.jks:/var/private/ssl/truststore/KafkaBrokerTruststore.jks

    environment:
      <<: *kafka_broker-env    
      KAFKA_NODE_ID: 2000
      KAFKA_LISTENERS: BROKER://:2090,INTERNAL://:2092
      KAFKA_ADVERTISED_LISTENERS: BROKER://localhost:2090,INTERNAL://kafka-broker-1:2092

And my brokers fail with below errors:

java.lang.NullPointerException: Cannot invoke "java.nio.channels.ServerSocketChannel.close()" because the return value of "kafka.network.Acceptor.serverChannel()" is null

[2025-01-22 13:51:19,091] ERROR [RaftManager id=2000] Unexpected error UNKNOWN_SERVER_ERROR in FETCH response: InboundResponse(correlationId=5998, data=FetchResponseData(throttleTimeMs=0, errorCode=-1, sessionId=0, responses=[], nodeEndpoints=[]), source=kafka-controller-1:5090 (id: 5000 rack: null)) (org.apache.kafka.raft.KafkaRaftClient)

Am I missing anything, or is there something wrong with my Docker config?

sudhanshuShukla · 23 January 2025 13:37

Hi, I made below changes, and it worked for AuthorizerNotReadyException, but I am still getting the below errors on brokers.

Brokers fails with below errors:

java.lang.NullPointerException: Cannot invoke "java.nio.channels.ServerSocketChannel.close()" because the return value of "kafka.network.Acceptor.serverChannel()" is null
 
[2025-01-22 13:51:19,091] ERROR [RaftManager id=2000] Unexpected error UNKNOWN_SERVER_ERROR in FETCH response: InboundResponse(correlationId=5998, data=FetchResponseData(throttleTimeMs=0, errorCode=-1, sessionId=0, responses=[], nodeEndpoints=[]), source=kafka-controller-1:5090 (id: 5000 rack: null)) (org.apache.kafka.raft.KafkaRaftClient)

Docker config which resolved AuthorizerNotReadyException is below:

version: '1'

x-kafka_controller:
  &kafka_controller-env
  KAFKA_PROCESS_ROLES: controller
  KAFKA_CONTROLLER_QUORUM_VOTERS: 4000@kafka-controller-0:4090,5000@kafka-controller-1:5090
  KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:SASL_PLAINTEXT,INTERNAL:SASL_PLAINTEXT
  KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
  KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER
  KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
  KAFKA_AUTO_LEADER_REBALANCE_ENABLE: true
  KAFKA_UNCLEAN_LEADER_ELECTION_ENABLE: false
  KAFKA_REPLICATION_QUOTA_WINDOW_NUM: 11
  KAFKA_REPLICATION_QUOTA_WINDOW_SIZE_SECONDS: 1

  # ACL Config
  KAFKA_AUTHORIZER_CLASS_NAME: org.apache.kafka.metadata.authorizer.StandardAuthorizer
  KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: false
  KAFKA_SUPER_USERS: User:admin

  # SASL Config
  KAFKA_SASL_MECHANISM_CONTROLLER_PROTOCOL: PLAIN
  KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
  KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
  KAFKA_LISTENER_NAME_CONTROLLER_PLAIN_SASL_JAAS_CONFIG: org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin" user_admin="admin";
  KAFKA_SECURITY_PROTOCOL: 'SASL_PLAINTEXT'

x-kafka_broker:
  &kafka_broker-env
  KAFKA_PROCESS_ROLES: broker
  KAFKA_CONTROLLER_QUORUM_VOTERS: 4000@kafka-controller-0:4090,5000@kafka-controller-1:5090
  KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:SASL_PLAINTEXT,CONTROLLER:SASL_PLAINTEXT,INTERNAL:SASL_PLAINTEXT
  KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
  KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER
  KAFKA_AUTO_CREATE_TOPICS_ENABLE: false
  KAFKA_AUTO_LEADER_REBALANCE_ENABLE: true
  KAFKA_UNCLEAN_LEADER_ELECTION_ENABLE: false
  KAFKA_REPLICATION_QUOTA_WINDOW_NUM: 11
  KAFKA_REPLICATION_QUOTA_WINDOW_SIZE_SECONDS: 1

  # SASL Config
  KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
  KAFKA_SASL_MECHANISM_CONTROLLER_PROTOCOL: PLAIN  
  KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
  KAFKA_LISTENER_NAME_BROKER_PLAIN_SASL_JAAS_CONFIG: org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin" user_admin="admin";
  KAFKA_SECURITY_PROTOCOL: 'SASL_PLAINTEXT'

  # SSL Config
  KAFKA_SSL_KEYSTORE_LOCATION: /var/private/ssl/keystore/KafkaBrokerKeystore.jks
  KAFKA_SSL_KEYSTORE_PASSWORD: testpass
  KAFKA_SSL_KEY_PASSWORD: testpass
  KAFKA_SSL_TRUSTSTORE_LOCATION: /var/private/ssl/truststore/KafkaBrokerTruststore.jks
  KAFKA_SSL_TRUSTSTORE_PASSWORD: testpass
  KAFKA_SSL_CLIENT_AUTH: required

  # ACL Config
  KAFKA_AUTHORIZER_CLASS_NAME: org.apache.kafka.metadata.authorizer.StandardAuthorizer
  KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: false
  KAFKA_SUPER_USERS: User:admin

services:
  kafka-controller-0:
    image: ${KAFKA_IMAGE}
    ports:
      - 4090:4090
      - 4091:4091

    environment:
      <<: *kafka_controller-env
      KAFKA_NODE_ID: 4000
      KAFKA_LISTENERS: CONTROLLER://:4090

  kafka-controller-1:
    image: ${KAFKA_IMAGE}
    ports:
      - 5090:5090
      - 5091:5091

    environment:
      <<: *kafka_controller-env
      KAFKA_NODE_ID: 5000
      KAFKA_LISTENERS: CONTROLLER://:5090    

  kafka-broker-0:
    image: ${KAFKA_IMAGE}
    ports:
      - 1090:1090
      - 1091:1091

    volumes:
      - ./KafkaBrokerKeystore.jks:/var/private/ssl/keystore/KafkaBrokerKeystore.jks
      - ./KafkaBrokerTruststore.jks:/var/private/ssl/truststore/KafkaBrokerTruststore.jks

    environment:
      <<: *kafka_broker-env    
      KAFKA_NODE_ID: 1000
      KAFKA_LISTENERS: BROKER://:1090,INTERNAL://:1092
      KAFKA_ADVERTISED_LISTENERS: BROKER://localhost:1090,INTERNAL://kafka-broker-0:1092

  kafka-broker-1:
    image: ${KAFKA_IMAGE}
    ports:
      - 2090:2090
      - 2091:2091

    volumes:
      - ./KafkaBrokerKeystore.jks:/var/private/ssl/keystore/KafkaBrokerKeystore.jks
      - ./KafkaBrokerTruststore.jks:/var/private/ssl/truststore/KafkaBrokerTruststore.jks

    environment:
      <<: *kafka_broker-env    
      KAFKA_NODE_ID: 2000
      KAFKA_LISTENERS: BROKER://:2090,INTERNAL://:2092
      KAFKA_ADVERTISED_LISTENERS: BROKER://localhost:2090,INTERNAL://kafka-broker-1:2092

Is my approach to resolve the AuthorizerNotReadyException issue correct or anything else can be done also do anyone have any idea about the error I am getting on brokers?

Topic		Replies	Views
Kafka Kraft Cluster Failed to complete initial ACL load process Ops	1	2610	19 December 2023
Beginner - trying to enable ACLS on a 3 broker kraft cluster Architecture and Design	3	1595	23 April 2024
ClusterAuthorizationException with User:ANONYMOUS when setting up SASL with Kraft and ACL Containers	7	4550	24 October 2023
KRaft and AclAuthorizer Ops	2	3047	24 February 2022
KAFKA cluster with kraft Kafka Streams	5	9328	31 August 2023

AuthorizerNotReadyException in Kafka ACL when using KRaft with multiple controllers

Related topics