kafka rest API request failed: Unauthorized (0)

[rajeshbala01]

I followed all the steps provided for the example "production-secure-deploy" but restproxy is not starting up and i am getting Unauthorized error

4m15s Warning FailedToDiscover kafkarestclass/default waiting for at-least one kafka pod availability 5s Warning FailedToDiscover kafkarestclass/default kafka cluster [kafka] in not in running state 2m43s Warning Warning kafkarestclass/default https://kafka.confluent.svc.cluster.local:8090/kafka/v3 dial tcp 10.64.1.53:8090: connect: connection refused 100s Warning Warning kafkarestclass/default https://kafka.confluent.svc.cluster.local:8090/kafka/v3 dial tcp 10.64.2.60:8090: connect: connection refused 110s Warning Warning kafkarestclass/default https://kafka.confluent.svc.cluster.local:8090/kafka/v3 dial tcp 10.64.0.59:8090: connect: connection refused 15s Warning Warning kafkarestclass/default kafka rest API request failed: Unauthorized (0)

I did create the rest-credential from the file bearer.txt as defined in the document

kubectl create secret generic rest-credential --from-file=bearer.txt=$TUTORIAL_HOME/bearer.txt --from-file=basic.txt=$TUTORIAL_HOME/bearer.txt --namespace confluent

What could be the reason for this Unauthorized error

[rajeshbala01]

I can see the error in my kafka logs as below

[ERROR] 2021-08-27 12:16:34,665 [qtp392226196-1527] io.confluent.common.security.jetty.MdsBasicLoginService login - Login failed for kafka org.apache.kafka.common.errors.AuthenticationException: Failed to authenticate Caused by: io.confluent.security.auth.client.rest.exceptions.RestClientException: Unauthorized; error code: 401 at io.confluent.security.auth.client.rest.RestClient$HTTPRequestSender.lambda$submit$0(RestClient.java:353) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834)

But when i join into the node and run a curl command against the rest proxy i am able to get response

rajeshbala@Rajesh:/mnt/d/Learning/Kafka/confluent-kafka/confluent-kubernetes-examples/security/production-secure-deploy$ kubectl exec -it kafka-0 -- sh Defaulted container "kafka" out of: kafka, config-init-container (init) sh-4.4$ curl -u "kafka:kafka-secret" https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/ --insecure {"kind":"KafkaClusterList","metadata":{"self":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters","next":null},"data":[{"kind":"KafkaCluster","metadata":{"self":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g","resource_name":"crn:///kafka=IIBIKHp0QZW45MaGx6XS_g"},"cluster_id":"IIBIKHp0QZW45MaGx6XS_g","controller":{"related":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g/brokers/0"},"acls":{"related":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g/acls"},"brokers":{"related":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g/brokers"},"broker_configs":{"related":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g/broker-configs"},"consumer_groups":{"related":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g/consumer-groups"},"topics":{"related":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g/topics"},"partition_reassignments":{"related":"https://kafka.confluent.svc.cluster.local:8090/kafka/v3/clusters/IIBIKHp0QZW45MaGx6XS_g/topics/-/partitions/-/reassignment"}}]}

[dyleck]

I faced that as well. For me the problem was with bearer.txt in kafka-rest-credential secret - it turned out that content in this file must be terminated by unix style newline (LF). If there is no newline or it's windows one (CRLF) then operator will not be able to authenticate against MDS. I consider this as a bug.

[gojanpaolo]

I faced that as well. For me the problem was with bearer.txt in kafka-rest-credential secret - it turned out that content in this file must be terminated by unix style newline (LF). If there is no newline or it's windows one (CRLF) then operator will not be able to authenticate against MDS. I consider this as a bug.

We had this same issue. Thank you for the posting the solution!