Closed dariocazas closed 3 years ago
Hi @dariocazas. Thanks a lot for raising the issue. It's indeed due to the fact that now the list topics command tries to list the configs as well on each topic. And if the user does have the privileges to list the topics but doesn't have the privileges to describe the configs, it fails the whole request.
I will make a PR tonight or tomorrow to fix the issue :+1:
@dariocazas It it possible for you to give the user you are using the right to describe the configs and see if it works just to confirm the issue?
@dariocazas the issue is fixed in 0.26.1. You may download this release and try again :+1:
@wlezzar thx for you quick reply and patch.
Well, over 0.26.1, when use an user with privileges over certain topics (not for all topics) to run zoe topics lists
, log show:
2020-10-10 23:18:17 WARN zoe: unexpected error on config describe request
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Topic authorization failed.
But gets OK result (same topic list as 0.24.0 version).
On another side, if I try to describe a topic, gets TopicAuthorizationException and show info without config:
> zoe -e dev topics describe test
[...]
2020-10-10 23:14:05 WARN zoe: unexpected error on config describe request
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Topic authorization failed.
[...]
{"topic":"testTopic","internal":false,"partitions":[0,1],"config":{}}
The user used has DESCRIBE allowed.
> kafka-acls.sh --bootstrap-server $BROKERS --command-config $COMMAND_CONFIG --list --principal User:test_user
[...]
ACLs for principal `User:ofda_training_dev`
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=testTopic, patternType=LITERAL)`:
(principal=User:test_user, host=*, operation=READ, permissionType=ALLOW)
(principal=User:test_user, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:test_user, host=*, operation=WRITE, permissionType=ALLOW)
[...]
Review about describe operation using kafka-topic.sh gets auth error too:
> kafka-topics.sh --bootstrap-server $BROKERS --command-config $COMMAND_CONFIG --describe --topic testTopic
[...]
[2020-10-10 23:43:40,231] ERROR org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=0, connectionId=XXX, session=Session(User:test_user,XXX), listenerName=ListenerName(SASL_SSL), securityProtocol=SASL_SSL, buffer=null) is not authorized.
As conclusion:
Good job. Thank you
Some basic operations available in zoe 0.24.0 gets an auth error in versions 0.25.0 and 0.26.0, like:
Using the following scripts:
With those results:
sasl.jaas.config
) with only privileges about READ and DESCRIBE on several topics:The error showed is:
About config against kafka server: