You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Wannes De Smet <wa...@gmail.com> on 2016/08/05 12:14:19 UTC

Leader not available when using ACLs on Kafka 0.10

Hi all

We are getting 'Leader not available' exception' when using ACLs with TLS
on a three node Kafka cluster, configured as [1]. The error occurs both
when trying to produce and consume from a topic, to which the producer
principal and all hosts have been granted access for testing, using the
following:

./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
--authorizer-properties zookeeper.connect=localhost:2181 --add
--allow-principal User:* --producer --topic topicName

The same issue appears in another thread on this mailing list [2], though
no information is present on how to resolve this issue. We also tried using
0.10.0.1 RC2, unfortunately to no effect. When the ACLs are not active,
everything works as expected.

Another attempt to explicitly allow access to all Kafka cluster hosts with
the 'All' principal did not have any effect.

Please advise how we might debug and resolve this issue.

Thanks
Wannes

[1] listeners=PLAINTEXT://:9092,SSL://:9093 ; inter-broker communication is
using the PLAINTEXT default
[2]
http://mail-archives.apache.org/mod_mbox/kafka-users/201608.mbox/%3CCANZ-JHHmL_E5xhcEdHeW0ZYME+M8iZsaz-D59UKL8HeWh3=PSw@mail.gmail.com%3E

Re: Leader not available when using ACLs on Kafka 0.10

Posted by Tom Crayford <tc...@heroku.com>.

Hi,

I'd recommend turning up broker logs to DEBUG and looking at the
controller's logs. The controller talks to nodes over the network and if it
can't reach them because of ACLs, then you won't get a leader.

The only other note is to check if your brokers are talking to each other
over TLS or plaintext. If they're going over plaintext you'll need to
authenticate those hosts. If they're going over TLS, you'll need to ensure
they're using the right client certs.

Thanks

Tom Crayford
Heroku Kafka

On Friday, 5 August 2016, Wannes De Smet <wa...@gmail.com> wrote:

> Hi all
>
> We are getting 'Leader not available' exception' when using ACLs with TLS
> on a three node Kafka cluster, configured as [1]. The error occurs both
> when trying to produce and consume from a topic, to which the producer
> principal and all hosts have been granted access for testing, using the
> following:
>
> ./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer
> --authorizer-properties zookeeper.connect=localhost:2181 --add
> --allow-principal User:* --producer --topic topicName
>
> The same issue appears in another thread on this mailing list [2], though
> no information is present on how to resolve this issue. We also tried using
> 0.10.0.1 RC2, unfortunately to no effect. When the ACLs are not active,
> everything works as expected.
>
> Another attempt to explicitly allow access to all Kafka cluster hosts with
> the 'All' principal did not have any effect.
>
> Please advise how we might debug and resolve this issue.
>
> Thanks
> Wannes
>
> [1] listeners=PLAINTEXT://:9092,SSL://:9093 ; inter-broker communication
> is
> using the PLAINTEXT default
> [2]
> http://mail-archives.apache.org/mod_mbox/kafka-users/201608.
> mbox/%3CCANZ-JHHmL_E5xhcEdHeW0ZYME+M8iZsaz-D59UKL8HeWh3=PSw@
> mail.gmail.com%3E
>