search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.94k stars 9.18k forks source link

[bitnami/schema-registry] ERROR Unexpected exception in schema registry group processing thread: kafka.common.errors.GroupAuthorizationException: Not authorized to access group: schema-registry #29909

Open chethan8592 opened 2 days ago

chethan8592 commented 2 days ago

Name and Version

bitnami/schema-registry: 7.7.1-debian-12-r0

What architecture are you using?

None

What steps will reproduce the bug?

below is my HELM chart configuration:

global:
  imageRegistry: ""
  imagePullSecrets: []
  defaultStorageClass: ""
  compatibility:
    openshift:
      adaptSecurityContext: auto
kubeVersion: ""
nameOverride: ""
fullnameOverride: ""
namespaceOverride: ""
commonLabels: {}
commonAnnotations: {}
clusterDomain: cluster.local
extraDeploy: []
diagnosticMode:
  enabled: false
  command:
    - sleep
  args:
    - infinity
image:
  registry: docker.io
  repository: bitnami/schema-registry
  tag: 7.7.1-debian-12-r0
  digest: ""
  pullPolicy: IfNotPresent
  pullSecrets: []
  debug: false
command: []
args: []
automountServiceAccountToken: false
hostAliases: []
podLabels: {}
configuration: 
existingConfigmap: ""
log4j: 
  rootLogger: "DEBUG, stdout"
  loggers:
    io.confluent.kafka.schemaregistry: DEBUG
existingLog4jConfigMap: ""
auth:
  tls:
    enabled: false
    jksSecret: ""  # Secret containing your JKS files
    keystorePassword: ""
    truststorePassword: ""
    clientAuthentication: "NONE"
  kafka:
    jksSecret: "schema-registry-kafka-secret"  # Use the same secret for Kafka connection
    tlsEndpointIdentificationAlgorithm: ""
    keystorePassword: "password"
    truststorePassword: "password"
    saslMechanism: ""

listeners: http://0.0.0.0:8081
avroCompatibilityLevel: backward
extraEnvVars: []
extraEnvVarsCM: ""
extraEnvVarsSecret: ""
replicaCount: 1
updateStrategy:
  type: RollingUpdate
nodeAffinityPreset:
  type: ""
  key: ""
  values: []
affinity: {}
nodeSelector: {}
tolerations: []
podManagementPolicy: OrderedReady
podAnnotations: {}
podAffinityPreset: ""
podAntiAffinityPreset: soft
priorityClassName: ""
topologySpreadConstraints: {}
schedulerName: ""
terminationGracePeriodSeconds: ""
lifecycleHooks: {}
podSecurityContext:
  enabled: true
  fsGroupChangePolicy: Always
  supplementalGroups: []
  fsGroup: 1001
  sysctls: []
containerSecurityContext:
  enabled: true
  seLinuxOptions: {}
  runAsUser: 1001
  runAsGroup: 1001
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  seccompProfile:
    type: "RuntimeDefault"
resourcesPreset: "small"
resources: {}
livenessProbe:
  enabled: true
  initialDelaySeconds: 10
  timeoutSeconds: 1
  periodSeconds: 20
  failureThreshold: 6
  successThreshold: 1
readinessProbe:
  enabled: true
  initialDelaySeconds: 10
  timeoutSeconds: 1
  periodSeconds: 20
  failureThreshold: 6
  successThreshold: 1
startupProbe:
  enabled: false
  initialDelaySeconds: 10
  timeoutSeconds: 1
  periodSeconds: 5
  failureThreshold: 20
  successThreshold: 1
customLivenessProbe: {}
customReadinessProbe: {}
customStartupProbe: {}
extraVolumes: []
extraVolumeMounts: []
initContainers: []     

sidecars: []
pdb:
  create: true
  minAvailable: ""
  maxUnavailable: ""
autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 11
  targetCPU: ""
  targetMemory: ""
  customPodMetrics: []
service:
  type: ClusterIP
  ports:
    http: 8081
  nodePorts:
    http: ""
  clusterIP: ""
  externalTrafficPolicy: Cluster
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  annotations: {}
  labels: {}
  extraPorts: []
  sessionAffinity: None
  sessionAffinityConfig: {}
  headless:
    annotations: {}
networkPolicy:
  enabled: true
  allowExternal: true
  allowExternalEgress: true
  extraIngress: []
  extraEgress: []
  ingressNSMatchLabels: {}
  ingressNSPodMatchLabels: {}
ingress:
  enabled: false
  pathType: ImplementationSpecific
  apiVersion: ""
  hostname: schema-registry.local
  ingressClassName: ""
  path: /
  annotations: {}
  tls: false
  selfSigned: false
  extraHosts: []
  extraPaths: []
  extraTls: []
  secrets: []
  extraRules: []
serviceAccount:
  create: true
  name: ""
  annotations: {}
  automountServiceAccountToken: false
kafka:
  enabled: false
  controller:
    replicaCount: 1
  listeners:
    client:
      protocol: "PLAINTEXT"
  service:
    ports:
      client: 9092
  extraConfig: |-
    offsets.topic.replication.factor=1
  sasl:
    client:
      users:
        - user
      passwords: ""
externalKafka:
  brokers:
    - SSL://{environment}-connect.client.com:443
  listener:
    protocol: SSL
  sasl:
    user: ""
    password: ""
    existingSecret: ""
And below is my secret that has to connect with Kafka broker:
apiVersion: v1
data:
  schema-registry-0.keystore.jks: "***"
  schema-registry.truststore.jks: "***"
kind: Secret
metadata:
  creationTimestamp: "2024-10-14T11:26:09Z"
  name: schema-registry-kafka-secret
  namespace: strimzi-demo
  resourceVersion: "345"
  uid: a19fc4ca-9691-4038-8c5f-***
type: Opaque

Are you using any custom parameters or values?

Values.yaml

What is the expected behavior?

No response

What do you see instead?

Schema Registry is not starting and failing with below error:

[2024-10-16 06:27:31,733] INFO Validating schemas topic _schemas (io.confluent.kafka.schemaregistry.storage.KafkaStore:249)
[2024-10-16 06:27:32,154] INFO Kafka store reader thread starting consumer (io.confluent.kafka.schemaregistry.storage.KafkaStoreReaderThread:135)
[2024-10-16 06:27:32,556] INFO Seeking to beginning for all partitions (io.confluent.kafka.schemaregistry.storage.KafkaStoreReaderThread:181)
[2024-10-16 06:27:32,557] INFO Initialized last consumed offset to -1 (io.confluent.kafka.schemaregistry.storage.KafkaStoreReaderThread:185)
[2024-10-16 06:27:32,557] INFO [kafka-store-reader-thread-_schemas]: Starting (io.confluent.kafka.schemaregistry.storage.KafkaStoreReaderThread:127)
[2024-10-16 06:27:33,231] INFO Wait to catch up until the offset at 441 (io.confluent.kafka.schemaregistry.storage.KafkaStore:317)
[2024-10-16 06:27:33,429] INFO Reached offset at 441 (io.confluent.kafka.schemaregistry.storage.KafkaStore:319)
[2024-10-16 06:27:33,430] INFO Joining schema registry with Kafka-based coordination (io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry:432)
[2024-10-16 06:27:33,732] INFO [Schema registry clientId=sr-1, groupId=schema-registry] FindCoordinator request hit fatal exception (io.confluent.kafka.schemaregistry.leaderelector.kafka.SchemaRegistryCoordinator:305)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: schema-registry
[2024-10-16 06:27:33,734] ERROR Unexpected exception in schema registry group processing thread (io.confluent.kafka.schemaregistry.leaderelector.kafka.KafkaGroupLeaderElector:212)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: schema-registry
[2024-10-16 06:28:33,547] ERROR Error starting the schema registry (io.confluent.kafka.schemaregistry.rest.SchemaRegistryRestApplication:81)
io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryInitializationException: io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryTimeoutException: Timed out waiting for join group to complete
        at io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry.electLeader(KafkaSchemaRegistry.java:440)
        at io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry.init(KafkaSchemaRegistry.java:420)
        at io.confluent.kafka.schemaregistry.rest.SchemaRegistryRestApplication.initSchemaRegistry(SchemaRegistryRestApplication.java:79)
        at io.confluent.kafka.schemaregistry.rest.SchemaRegistryRestApplication.configureBaseApplication(SchemaRegistryRestApplication.java:105)
        at io.confluent.rest.Application.configureHandler(Application.java:324)
        at io.confluent.rest.ApplicationServer.doStart(ApplicationServer.java:228)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at io.confluent.kafka.schemaregistry.rest.SchemaRegistryMain.main(SchemaRegistryMain.java:44)
Caused by: io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryTimeoutException: Timed out waiting for join group to complete
        at io.confluent.kafka.schemaregistry.leaderelector.kafka.KafkaGroupLeaderElector.init(KafkaGroupLeaderElector.java:219)
        at io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry.electLeader(KafkaSchemaRegistry.java:435)
        ... 7 more

Additional information

No response

javsalgar commented 2 days ago

Hi!

Do you have a sample secret that triggers the issue? I see that the one you provided is redacted and it's difficult for us to reproduce the issue

chethan8592 commented 2 days ago

Dont have a sample secret.

chethan8592 commented 2 days ago

And wanted to know how the Schema registry clientId=sr-1, groupId=schema-registry are being configured?

javsalgar commented 1 day ago

We're trying to reproduce but we cannot, if you please find a sample secret we will be able to further get to the issue.