You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by da...@post.ch.INVALID on 2022/03/14 13:11:48 UTC

Error creating PREFIXED ACL's

Hi

Since weeks we have on one of our environments the following error by creating PREFIXED ACL’s.


Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz1, patternType=PREFIXED)`:

        (principal=User:xyz, host=*, operation=READ, permissionType=ALLOW)

        (principal=User:xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)



Error while executing ACL command: org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL

java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL

        at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)

        at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)

        at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)

        at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)

        at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$3(AclCommand.scala:112)

        at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)

        at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)

        at scala.collection.AbstractIterable.foreach(Iterable.scala:920)

        at scala.collection.IterableOps$WithFilter.foreach(Iterable.scala:890)

        at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$1(AclCommand.scala:109)

        at kafka.admin.AclCommand$AdminClientService.addAcls(AclCommand.scala:108)

        at kafka.admin.AclCommand$.main(AclCommand.scala:70)

        at kafka.admin.AclCommand.main(AclCommand.scala)

Caused by: org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL

If I try to run it again with the same TOPIC name it shows, that something already exists.

Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1, patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)

Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1, patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1, patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1, patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

But the ACL wasn’t created correctly. Also a deletion of these is not possible.

If we do the same with patternType “LITERAL” it works directly and the ACL is also correct created and useable.


Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz2, patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)



Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2, patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)



Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2, patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)



Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz2, patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

This problem we only have on our integration environment, on production we have no problems by creating PREFIXED ACL’s.

On both env’s we have the following version installed.

OS: RHEL7
Confluent-6.1.2
Kafka-2.7
Zookeeper-3.5.9

We think it is an issue in the zookeeper but aren’t able to find the reason.

Thank for help and input
Best regards,
Daniel Marino

Re: Error creating PREFIXED ACL's

Posted by Luke Chen <sh...@gmail.com>.

Hi Daniel,

Did you see any error from the server log or zookeeper log while getting
the `InvalidRequestException: Failed to create ACL` response?

Thank you.
Luke

On Mon, Mar 14, 2022 at 9:13 PM <da...@post.ch.invalid> wrote:

> Hi
>
> Since weeks we have on one of our environments the following error by
> creating PREFIXED ACL’s.
>
>
> Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz1,
> patternType=PREFIXED)`:
>
>         (principal=User:xyz, host=*, operation=READ, permissionType=ALLOW)
>
>         (principal=User:xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
>
>
> Error while executing ACL command:
> org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL
>
> java.util.concurrent.ExecutionException:
> org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL
>
>         at
> org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
>
>         at
> org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
>
>         at
> org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
>
>         at
> org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
>
>         at
> kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$3(AclCommand.scala:112)
>
>         at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
>
>         at
> scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
>
>         at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
>
>         at
> scala.collection.IterableOps$WithFilter.foreach(Iterable.scala:890)
>
>         at
> kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$1(AclCommand.scala:109)
>
>         at
> kafka.admin.AclCommand$AdminClientService.addAcls(AclCommand.scala:108)
>
>         at kafka.admin.AclCommand$.main(AclCommand.scala:70)
>
>         at kafka.admin.AclCommand.main(AclCommand.scala)
>
> Caused by: org.apache.kafka.common.errors.InvalidRequestException: Failed
> to create ACL
>
> If I try to run it again with the same TOPIC name it shows, that something
> already exists.
>
> Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1,
> patternType=PREFIXED)`:
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>         (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
> Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1,
> patternType=PREFIXED)`:
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1,
> patternType=PREFIXED)`:
>         (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1,
> patternType=PREFIXED)`:
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> But the ACL wasn’t created correctly. Also a deletion of these is not
> possible.
>
> If we do the same with patternType “LITERAL” it works directly and the ACL
> is also correct created and useable.
>
>
> Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz2,
> patternType=LITERAL)`:
>
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
>         (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
>
>
> Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2,
> patternType=LITERAL)`:
>
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
>
>
> Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2,
> patternType=LITERAL)`:
>
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
>
>
> Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz2,
> patternType=LITERAL)`:
>
>         (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
>         (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> This problem we only have on our integration environment, on production we
> have no problems by creating PREFIXED ACL’s.
>
> On both env’s we have the following version installed.
>
> OS: RHEL7
> Confluent-6.1.2
> Kafka-2.7
> Zookeeper-3.5.9
>
> We think it is an issue in the zookeeper but aren’t able to find the
> reason.
>
> Thank for help and input
> Best regards,
> Daniel Marino
>