mstruk
commented
3 years ago Based on the stacktrace it is impossible for this exception to occur in 0.7.1.
On closer inspection, the CLASSPATH of your Kafka broker reveals that you deploy on top of the image that already contains 0.6.1 versions of strimzi-kafka-oauth jars, and you override by prefixing the CLASSPATH with 0.7.1 version jars.
Except that you did not override kafka-oauth-keycloak-authorizer jar.
You have in your CLASSPATH:
/opt/kafka/libs/strimzi/kafka-oauth-common-0.7.1.jar:/opt/kafka/libs/strimzi/keycloak-core-12.0.1.jar:/opt/kafka/libs/strimzi/kafka-oauth-server-0.7.1.jar:/opt/kafka/libs/strimzi/kafka-oauth-server-plain-0.7.1.jar:/opt/kafka/libs/strimzi/kafka-oauth-client-0.7.1.jar ...And these are the only 0.7.1 jars that override 0.6.1 version jars with the same name.
Later in the classpath you have :/opt/kafka/bin/../libs/kafka-oauth-keycloak-authorizer-0.6.1.jar:
But you don't have kafka-oauth-keycloak-authorizer-0.7.1.jar on your classpath so effectively you're still using 0.6.1 code here.
I found out that there is null pointer when KeycloakRBACAuthorizer tries to authorize user with resource permission for consumer group.
Using version
0.7.1Including container logs which contains NPE. kafka-logs.txt
Keycloak realms is configured as following authz-realm.txt