Open vitali-kr opened 3 years ago
Hello! I also did some testing with this scenario, both with SAS keys and an OAuth identity (service principal). I am only noticing this behavior with OAuth. If an identity does not have namespace access (i.e. just Azure Event Hubs Data Receiver on a specific topic), the consumer will time out or disconnect from the broker with the following commands:
partitionsFor(topic) listTopics()
According to the Kafka API docs, these functions should return the topics / partitions for which an identity is authorized. If the user is not authorized to view the specific topic in partitionsFor, it should return an unauthorized exception, not a timeout / disconnect.
We are aware of the issue. A fix is being rolled out globally this week and next week. Let me know if you still hit that after then.
Description
When using OAuth-based authentication with Receiver role granted at Event Hub (topic) level and then fetching METADATA without specifying any topics connection is forcefully closed
This happens when using apache kafka-clients for Java and calling KafkaConsumer.partitionsFor(topic). Kafka client fetches broker information first and then requests partition info for specific topic. If account is not granted Receiver access at the Event Hub Namespace level then broker closes connection after first request.
This issue propagates down to inability to use Spring Cloud Stream with default Kafka binder.
How to reproduce
Setup service principal and grant Receiver role to a specific topic. Use apache's kafka-clients (tested with 2.6.0 and 2.8.0) with OAuth bearer token authentication outlined at https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth/java/appsecret Change consumer code to
Has it worked previously?
No
Checklist
IMPORTANT: We will close issues where the checklist has not been completed or where adequate information has not been provided.
Please provide the relevant information for the following items:
org.apache.kafka:kafka-clients2.6.0
tutorials/oauth/java/appsecret
2.6.0
same as in tutorials/oauth/java/appsecret/consumer
(do not include your connection string or SAS Key)krogerCustomer-dev.servicebus.windows.net/kcp_picking_communication
Consumer
2021-06-29 05:36:30.897 UTC
client.id=consumer-anonymous.45adc0de-4669-43e1-961d-4f58b5cf6638-1
<REPLACE with e.g., Willing/able to send scenario to repro issue>
any
If this is a question on basic functionality, please verify the following:
$ ping namespace.servicebus.windows.net
returns ~ns-eh2-prod-am3-516.cloudapp.net [13.69.64.0]
)