You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by da...@post.ch.INVALID on 2022/03/14 13:11:48 UTC
Error creating PREFIXED ACL's
Hi
Since weeks we have on one of our environments the following error by creating PREFIXED ACL’s.
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz1, patternType=PREFIXED)`:
(principal=User:xyz, host=*, operation=READ, permissionType=ALLOW)
(principal=User:xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)
Error while executing ACL command: org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL
at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$3(AclCommand.scala:112)
at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
at scala.collection.IterableOps$WithFilter.foreach(Iterable.scala:890)
at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$1(AclCommand.scala:109)
at kafka.admin.AclCommand$AdminClientService.addAcls(AclCommand.scala:108)
at kafka.admin.AclCommand$.main(AclCommand.scala:70)
at kafka.admin.AclCommand.main(AclCommand.scala)
Caused by: org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL
If I try to run it again with the same TOPIC name it shows, that something already exists.
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1, patternType=PREFIXED)`:
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
(principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)
Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1, patternType=PREFIXED)`:
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1, patternType=PREFIXED)`:
(principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1, patternType=PREFIXED)`:
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
But the ACL wasn’t created correctly. Also a deletion of these is not possible.
If we do the same with patternType “LITERAL” it works directly and the ACL is also correct created and useable.
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz2, patternType=LITERAL)`:
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
(principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)
Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2, patternType=LITERAL)`:
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2, patternType=LITERAL)`:
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz2, patternType=LITERAL)`:
(principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
This problem we only have on our integration environment, on production we have no problems by creating PREFIXED ACL’s.
On both env’s we have the following version installed.
OS: RHEL7
Confluent-6.1.2
Kafka-2.7
Zookeeper-3.5.9
We think it is an issue in the zookeeper but aren’t able to find the reason.
Thank for help and input
Best regards,
Daniel Marino
Re: Error creating PREFIXED ACL's
Posted by Luke Chen <sh...@gmail.com>.
Hi Daniel,
Did you see any error from the server log or zookeeper log while getting
the `InvalidRequestException: Failed to create ACL` response?
Thank you.
Luke
On Mon, Mar 14, 2022 at 9:13 PM <da...@post.ch.invalid> wrote:
> Hi
>
> Since weeks we have on one of our environments the following error by
> creating PREFIXED ACL’s.
>
>
> Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz1,
> patternType=PREFIXED)`:
>
> (principal=User:xyz, host=*, operation=READ, permissionType=ALLOW)
>
> (principal=User:xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
>
>
> Error while executing ACL command:
> org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL
>
> java.util.concurrent.ExecutionException:
> org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL
>
> at
> org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
>
> at
> org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
>
> at
> org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
>
> at
> org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
>
> at
> kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$3(AclCommand.scala:112)
>
> at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
>
> at
> scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
>
> at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
>
> at
> scala.collection.IterableOps$WithFilter.foreach(Iterable.scala:890)
>
> at
> kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$1(AclCommand.scala:109)
>
> at
> kafka.admin.AclCommand$AdminClientService.addAcls(AclCommand.scala:108)
>
> at kafka.admin.AclCommand$.main(AclCommand.scala:70)
>
> at kafka.admin.AclCommand.main(AclCommand.scala)
>
> Caused by: org.apache.kafka.common.errors.InvalidRequestException: Failed
> to create ACL
>
> If I try to run it again with the same TOPIC name it shows, that something
> already exists.
>
> Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1,
> patternType=PREFIXED)`:
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
> (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
> Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1,
> patternType=PREFIXED)`:
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1,
> patternType=PREFIXED)`:
> (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1,
> patternType=PREFIXED)`:
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> But the ACL wasn’t created correctly. Also a deletion of these is not
> possible.
>
> If we do the same with patternType “LITERAL” it works directly and the ACL
> is also correct created and useable.
>
>
> Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz2,
> patternType=LITERAL)`:
>
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
>
>
> Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2,
> patternType=LITERAL)`:
>
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
>
>
> Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2,
> patternType=LITERAL)`:
>
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
>
>
> Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz2,
> patternType=LITERAL)`:
>
> (principal=User: xyz, host=*, operation=DESCRIBE,
> permissionType=ALLOW)
>
> (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
>
> This problem we only have on our integration environment, on production we
> have no problems by creating PREFIXED ACL’s.
>
> On both env’s we have the following version installed.
>
> OS: RHEL7
> Confluent-6.1.2
> Kafka-2.7
> Zookeeper-3.5.9
>
> We think it is an issue in the zookeeper but aren’t able to find the
> reason.
>
> Thank for help and input
> Best regards,
> Daniel Marino
>