Kafka Users are created with ACL entries and during performing operations allowed by ACL we see Denied Operation #10102
Replies: 1 comment · 5 replies
-
Please share the full logs and custom resources and properly explain the steps you are doing as I do not think they are really clear. |
Beta Was this translation helpful? Give feedback.
All reactions
-
Hi @scholzj
Current ACLs for resource Tue May 14 15:05:53 UTC 2024 Current ACLs for resource Tue May 14 15:05:58 UTC 2024 Current ACLs for resource Tue May 14 15:06:02 UTC 2024 Current ACLs for resource Tue May 14 15:06:06 UTC 2024 Current ACLs for resource Tue May 14 15:06:11 UTC 2024 Current ACLs for resource Tue May 14 15:06:15 UTC 2024 Current ACLs for resource Tue May 14 15:06:20 UTC 2024 Current ACLs for resource Tue May 14 15:06:24 UTC 2024 Current ACLs for resource Tue May 14 15:06:29 UTC 2024 Current ACLs for resource Tue May 14 15:06:33 UTC 2024 Current ACLs for resource Tue May 14 15:06:38 UTC 2024 |
Beta Was this translation helpful? Give feedback.
All reactions
-
Well, that we might not be able to help you.
You have to provide logs or a proper reproducer. The reproducer should include exact steps for reproducing it including the exact custom resources and configs you are using. You should also not run any commands from the Kafka broker pods -> you should setup your own pods and use proper authentication for them. The port 9091 is only for the internal communication of the Kafka cluster and you likely hacked around the configuration to connect to it. |
Beta Was this translation helpful? Give feedback.
All reactions
-
Hi @scholzj I tried to check if i can provide reproducer for the scenario i have explained. but i am not able to provide since there is few customizations that is done in the strimzi operator more specific to suit our customer needs.
is it possible to check this Regards |
Beta Was this translation helpful? Give feedback.
All reactions
-
But this works completely fine -> it creates the ACLs as configured in the KafkaUser resource and keeps them configured. This is also part of our system tests executed for every release. To create a reproducer, you do not have to share anything private or custom. That would be actually detrimental for a reproducer. Just start a new fresh Minikube or Kind cluster and install latest Strimzi version (because nobody is going to fix any issues in Strimzi 0.36 anymore). And then use the Kafka and KafkaUser resources with only the configuration needed to reproduce the problem and provide the resources and the exact steps you used. This is actually important for the reproducer, because it helps you check that the issue is in Strimzi and not in your secret configuration and the private customizations you are using. |
Beta Was this translation helpful? Give feedback.
All reactions
-
Hi @scholzj I tried to setup strimzi 0.36.1 in my environmet using minikube , was not able to reproduce the error condition. The ACL are present in the kafka cluster. Will check in our custom deployment to see the reason for deletion |
Beta Was this translation helpful? Give feedback.
-
We are using 0.36.1 version of strimzi and 3.5.1 version of kafka
We have created 2 KafkaUsers from Strimzi operator for 2 different cluster with ACL entries. we have observed that the ACL entries in teh Kafka Cluster will not be present for approximately 4 minutes and the ACL entries will be available after that. The clients which are using KafkaUser to perform operations not be able to perform operations till the ACL is available in KafkaCLuster.
We see in the Kafka Logs below are the mesages the user and cluster details in messages are not added since it is proprietery
Processing notification(s) to /config/change
Processing override for entityPath
Removing PRODUCE quota for user
Removing FETCH quota for user
Removing REQUEST quota for user
Removing CONTROLLER_MUTATION quota for user
Processing notification(s) to /kafka-acl-changes
Processing Acl change notification for
Processing notification(s) to /config/changes
Processing notification(s) to /kafka-acl-changes
Processing Acl change notification for ResourcePattern(resourceType=GROU
The same behavior is observed even if we create a single KafkaUser , same behavior is observed
We tried to check by creating a ACL in Kafka Cluster we see that ACL is getting removed in kafkacluster.
Even if we try to add a ACL manually from kafka cluster the same behavior is seen. After some time the ACL is getting deleted. Have raised a Bug in ASF https://issues.apache.org/jira/browse/KAFKA-16693. I havent received any response for the same. Has any one facing similar issue ?
kafka-acls --add --allow-host '' --allow-principal User:'CN=jana-2' --operation Describe --resource-pattern-type LITERAL --topic my-new-topic --bootstrap-server eric-data-message-bus-kf-9-kafka-bootstrap:9091 -command-config /tmp/kafka_ssl_config.properties
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Adding ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=, operation=DESCRIBE, permissionType=ALLOW)
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:24:53 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:24:58 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:02 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:06 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:10 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:15 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:19 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:24 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:28 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:32 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:36 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:40 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:45 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:49 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:53 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:25:58 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:02 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:06 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:10 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:15 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:19 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:23 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:28 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:32 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Current ACLs for resource
ResourcePattern(resourceType=TOPIC, name=my-new-topic, patternType=LITERAL)
:(principal=User:CN=jana-2, host=*, operation=DESCRIBE, permissionType=ALLOW)
Mon May 13 14:26:36 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Mon May 13 14:26:40 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Mon May 13 14:26:45 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
^CMon May 13 14:26:48 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Mon May 13 14:26:52 UTC 2024
ERROR StatusLogger Reconfiguration failed: No configuration found for '2cdf8d8a' at 'null' in 'null'
Beta Was this translation helpful? Give feedback.
All reactions