Error in the docs for service account connector acl's?

Hi Community,

Happy New Year to all.

I’m wondering if anybody can reproduce an issue I’m having while configuring the ACL’s for a self-managed debezium source connector that should connect to confluent cloud. The directions I’ve followed come from the official confluent docs.

As written, the docs require some thoughtful interpretation, at least around the additional ACL’s needed by mysql/mssql. Here’s how I interpreted the unclear bits:

  1. for the name of the history topic, I took it that this should really mean the name defined in the connector’s json config via the “database.history.kafka.topic” property. As written, the docs appear to (erroneously?) suggest that the name of the history topic should be created in a defined pattern. Can anyone confirm if my interpretation is correct?

  2. for the consumer group name, I interpreted this to be the value defined by the CONNECT_GROUP_ID environment variable, rather than the patterned value that was shown the docs. For my troubleshooting setup, the group id is set to edip-troubleshooting-connect-cluster-group.

Are the interpretations above correct?

However, even after making these changes, something is still off. The connector still dies on startup with a Group Authorization Exception:

022-01-05 18:36:47,945] INFO [Worker clientId=connect-1, groupId==edip-troubleshooting-connect-cluster-group] FindCoordinator request hit fatal exception (org.apache.kafka.connect.runtime.distributed.WorkerCoordinator:261)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: =edip-troubleshooting-connect-cluster-group
[2022-01-05 18:36:47,998] ERROR [Worker clientId=connect-1, groupId==edip-troubleshooting-connect-cluster-group] Uncaught exception in herder work thread, exiting:  (org.apache.kafka.connect.runtime.distributed.DistributedHerder:334)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: =edip-troubleshooting-connect-cluster-group
[2022-01-05 18:36:47,999] INFO Kafka Connect stopping (org.apache.kafka.connect.runtime.Connect:67)

Note that I have pre-created the topics in ccloud, including the connector’s storage topics.

I’ve confirmed that the api key and secret match the service account:
confluent kafka acl list --service-account sa-yadda
and also that the connector’s CONNECT_SASL_JAAS_CONFIG, CONNECT_CONSUMER_SASL_JAAS_CONFIG, CONNECT_PRODUCER_SASL_JAAS_CONFIG, CONNECT_DATABASE_HISTORY_CONSUMER_SASL_JAAS_CONFIG, CONNECT_DATABASE_HISTORY_PRODUCER_SASL_JAAS_CONFIG variables are all set using the correct key and secret for the service account.

I’ve also confirmed that the indicated READ/WRITE/DESCRIBE permissions were created as expected for the group:
confluent kafka acl list --consumer-group edip-troubleshooting-connect-cluster-group

Can anyone spot where the issue lies and/or suggest a path forward? I’m deeply stuck at this point.

Cheers,

_Tim