Closed jrevillard closed 4 years ago
SASL_SSL is an authentication mechanism, which means that it will let you successfully connect to a broker provided you have a valid set of credentials; it doesn't check (at the point of connection) whether you are authorised to perform any action on the broker(s).
The error you are seeing owes to a lack of privileges. You need to explicitly grant access to the Kafdrop user to access the topics that you want to browse, as well as consumer groups.
Hi @ekoutanov , thanks for your help. Let me describe more in detail. Here is my kafdrop configuration:
security.protocol=SASL_SSL
#ssl.endpoint.identification.algorithm=
ssl.truststore.location=/conf/certificate_authorities.jks
ssl.truststore.password=xxxxxx
sasl.mechanism=GSSAPI
sasl.jaas.config="com.sun.security.auth.module.Krb5LoginModule required \
useTicketCache=true \
renewTicket=true \
serviceName=\"kafka\" \
useKeyTab=true keyTab=\"/conf/jrevillard.keytab\" \
principal=\"jrevillard@BIGEYS.PRIV\";"
In Ranger, no problem at all, Kafdrop was able to do everything apparently, I see plenty of "describe" operation which succeed without problem:
Therefore, I have no idea what is the issue. My user is admin of the kafka cluster and can do everything.
Best, Jerome
Hi @jrevillard . I'm not sure what the specific issue is with authorization (and I'm no Kerberos expert), but I can confirm pretty definitively that a TopicAuthorizationException
in Kafka means that the client attempted to execute an operation on the topic for which it does not have adequate permission. It might be a DESCRIBE, or a READ.
This has little to do with Kafdrop; more with how Kafka authorization works.
What I can suggest, is to enable fine-grained logging on your Kafka cluster to see where access is being denied. Alternatively, you may try a different authentication scheme just for experimentation, for example SASL with SCRAM and just to check that authorization has been set up correctly (to eliminate Kerberos as a potential issue).
I found exactly where the problem is by running in DEBUG mode In fact the problem is adminClient.describeConfigs(resources);
Kafdrop is able to properly retrieve the topic list in fact:
kafdrop_1 | 2020-04-29 10:27:18.936 DEBUG 14 [ XNIO-1 task-1] o.a.k.c.NetworkClient : [Consumer clientId=kafdrop-consumer, groupId=null] Using older server API v5 to send METADATA {topics=[{name=topic1}],allow_auto_topic_creation=true} with correlation id 4 to node 1008
kafdrop_1 | 2020-04-29 10:27:18.996 DEBUG 14 [ XNIO-1 task-1] o.a.k.c.NetworkClient : [Consumer clientId=kafdrop-consumer, groupId=null] Using older server API v5 to send METADATA {topics=[{name=topic2}],allow_auto_topic_creation=true} with correlation id 7 to node 1008
kafdrop_1 | 2020-04-29 10:27:19.056 DEBUG 14 [ XNIO-1 task-1] o.a.k.c.NetworkClient : [Consumer clientId=kafdrop-consumer, groupId=null] Using older server API v5 to send METADATA {topics=[{name=topic3}],allow_auto_topic_creation=true} with correlation id 8 to node 1008
....
Best
Hi,
We have a Kafka cluster with Kafka v1.0 protected by Apache Ranger. We use SASL_SSL with GSSAPI sasl mechanism. I see in the ranger audit logs that Kafdrop contact properly the cluster... all the connections are allowed (no denied at all) but in Kafdrop, I get this:
Do you have an idea ?
Best, Jerome