You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Manikumar Reddy <ma...@gmail.com> on 2016/07/07 18:23:28 UTC
consumer.subscribe(Pattern p , ..) method fails with Authorizer
Hi,
consumer.subscribe(Pattern p , ..) method implementation tries to get
metadata of all the topics.
This will throw TopicAuthorizationException on internal topics and other
unauthorized topics.
We may need to move the pattern matching to sever side.
Is this know issue?. If not, I will raise JIRA.
logs:
[2016-07-07 22:48:06,317] WARN Error while fetching metadata with
correlation id 1 : {__consumer_offsets=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2016-07-07 22:48:06,318] ERROR Unknown error when running consumer:
(kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized
to access topics: [__consumer_offsets]
Thanks,
Manikumar
Re: consumer.subscribe(Pattern p , ..) method fails with Authorizer
Posted by Ismael Juma <is...@juma.me.uk>.
Ewen, that's right and that is being handled in
https://github.com/apache/kafka/pull/1428.
On Sun, Jul 24, 2016 at 1:41 AM, Ewen Cheslack-Postava <ew...@confluent.io>
wrote:
> Manikumar,
>
> Yeah, that seems bad. Seems like maybe instead of moving to server-side
> processing we should make the metadata request limit results to topics the
> principal is authorized for? I suspect this is important anyway since
> generally it seems we don't want to reveal errors when there's unauthorized
> resources, but instead mask that error as something else or not return an
> error at all?
>
> -Ewen
>
> On Fri, Jul 8, 2016 at 10:24 AM, Manikumar Reddy <
> manikumar.reddy@gmail.com>
> wrote:
>
> > Hi,
> >
> > consumer.subscribe(Pattern p , ..) method implementation tries to get
> > metadata of all the topics.
> > This will throw TopicAuthorizationException on internal topics and other
> > unauthorized topics.
> > We may need to move the pattern matching to sever side.
> > Is this know issue?. If not, I will raise JIRA.
> >
> > logs:
> > [2016-07-07 22:48:06,317] WARN Error while fetching metadata with
> > correlation id 1 : {__consumer_offsets=TOPIC_AUTHORIZATION_FAILED}
> > (org.apache.kafka.clients.NetworkClient)
> > [2016-07-07 22:48:06,318] ERROR Unknown error when running consumer:
> > (kafka.tools.ConsoleConsumer$)
> > org.apache.kafka.common.errors.TopicAuthorizationException: Not
> authorized
> > to access topics: [__consumer_offsets]
> >
> >
> > Thanks,
> > Manikumar
> >
>
>
>
> --
> Thanks,
> Ewen
>
Re: consumer.subscribe(Pattern p , ..) method fails with Authorizer
Posted by Ewen Cheslack-Postava <ew...@confluent.io>.
Manikumar,
Yeah, that seems bad. Seems like maybe instead of moving to server-side
processing we should make the metadata request limit results to topics the
principal is authorized for? I suspect this is important anyway since
generally it seems we don't want to reveal errors when there's unauthorized
resources, but instead mask that error as something else or not return an
error at all?
-Ewen
On Fri, Jul 8, 2016 at 10:24 AM, Manikumar Reddy <ma...@gmail.com>
wrote:
> Hi,
>
> consumer.subscribe(Pattern p , ..) method implementation tries to get
> metadata of all the topics.
> This will throw TopicAuthorizationException on internal topics and other
> unauthorized topics.
> We may need to move the pattern matching to sever side.
> Is this know issue?. If not, I will raise JIRA.
>
> logs:
> [2016-07-07 22:48:06,317] WARN Error while fetching metadata with
> correlation id 1 : {__consumer_offsets=TOPIC_AUTHORIZATION_FAILED}
> (org.apache.kafka.clients.NetworkClient)
> [2016-07-07 22:48:06,318] ERROR Unknown error when running consumer:
> (kafka.tools.ConsoleConsumer$)
> org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized
> to access topics: [__consumer_offsets]
>
>
> Thanks,
> Manikumar
>
--
Thanks,
Ewen
Fwd: consumer.subscribe(Pattern p , ..) method fails with Authorizer
Posted by Manikumar Reddy <ma...@gmail.com>.
Hi,
consumer.subscribe(Pattern p , ..) method implementation tries to get
metadata of all the topics.
This will throw TopicAuthorizationException on internal topics and other
unauthorized topics.
We may need to move the pattern matching to sever side.
Is this know issue?. If not, I will raise JIRA.
logs:
[2016-07-07 22:48:06,317] WARN Error while fetching metadata with
correlation id 1 : {__consumer_offsets=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2016-07-07 22:48:06,318] ERROR Unknown error when running consumer:
(kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized
to access topics: [__consumer_offsets]
Thanks,
Manikumar