Failed to Set an ACL for a Kafka Topic, and "NoAuthException" Is Displayed
Symptom
When running the following command on the Kafka client to set the ACL for a topic, it is found that the topic ACL cannot be set.
kafka-acls.sh --authorizer-properties zookeeper.connect=10.5.144.2:2181/kafka --topic topic_acl --producer --add --allow-principal User:test_acl
The error message "NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl-changes/acl_changes_0000000002" is displayed.
Details are as follows:
Error while executing ACL command: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl-changes/acl_changes_0000000002org.I0Itec.zkclient.exception.ZkException: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl-changes/acl_changes_0000000002at org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:995)at org.I0Itec.zkclient.ZkClient.delete(ZkClient.java:1038)at kafka.utils.ZkUtils.deletePath(ZkUtils.scala:499)at kafka.common.ZkNodeChangeNotificationListener$$anonfun$purgeObsoleteNotifications$1.apply(ZkNodeChangeNotificationListener.scala:118)at kafka.common.ZkNodeChangeNotificationListener$$anonfun$purgeObsoleteNotifications$1.apply(ZkNodeChangeNotificationListener.scala:112)at scala.collection.mutable.ResizableArray$class.foreach(ResizableArray.scala:59)at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:47)at kafka.common.ZkNodeChangeNotificationListener.purgeObsoleteNotifications(ZkNodeChangeNotificationListener.scala:112)at kafka.common.ZkNodeChangeNotificationListener.kafka$common$ZkNodeChangeNotificationListener$$processNotifications(ZkNodeChangeNotificationListener.scala:97)at kafka.common.ZkNodeChangeNotificationListener.processAllNotifications(ZkNodeChangeNotificationListener.scala:77)at kafka.common.ZkNodeChangeNotificationListener.init(ZkNodeChangeNotificationListener.scala:65)at kafka.security.auth.SimpleAclAuthorizer.configure(SimpleAclAuthorizer.scala:136)at kafka.admin.AclCommand$.withAuthorizer(AclCommand.scala:73)at kafka.admin.AclCommand$.addAcl(AclCommand.scala:80)at kafka.admin.AclCommand$.main(AclCommand.scala:48)at kafka.admin.AclCommand.main(AclCommand.scala)Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl-changes/acl_changes_0000000002at org.apache.zookeeper.KeeperException.create(KeeperException.java:117)at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)at org.apache.zookeeper.ZooKeeper.delete(ZooKeeper.java:1416)at org.I0Itec.zkclient.ZkConnection.delete(ZkConnection.java:104)at org.I0Itec.zkclient.ZkClient$11.call(ZkClient.java:1042)at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:985)
Possible Causes
The user does not belong to the kafkaadmin group. Kafka provides a secure access interface. Only users in the kafkaadmin group can perform the setting operation.
Cause Analysis
- After the client command is run, the "NoAuthException" exception is reported.
- Run the client command klist to query the current authenticated user. [root@10-10-144-2 client]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: test@HADOOP.COMValid starting Expires Service principal01/25/17 11:06:48 01/26/17 11:06:45 krbtgt/HADOOP.COM@HADOOP.COM
The test user is used in this example.
- Run the id command to query the user group information.[root@10-10-144-2 client]# id testuid=20032(test) gid=10001(hadoop) groups=10001(hadoop),9998(ficommon),10003(kafka)
Solution
MRS Manager:
- Log in to MRS Manager.
- Choose System > Manage User.
- In the Operation column of the user, click Modify.
- Add the user to the kafkaadmin group.
- Run the id command to query the user group information.[root@host1 client]# id testuid=20032(test) gid=10001(hadoop) groups=10001(hadoop),9998(ficommon),10002(kafkaadmin),10003(kafka)
FusionInsight Manager:
- Log in to FusionInsight Manager.
- Choose System > Permission > User.
- Locate the row that contains the target user, and click Modify.
- Add the user to the kafkaadmin group. Click OK.
- Run the id command to query the user group information.[root@10-10-144-2 client]# id testuid=20032(test) gid=10001(hadoop) groups=10001(hadoop),9998(ficommon),10002(kafkaadmin),10003(kafka)
Parent topic: Using Kafka
- Symptom
- Possible Causes
- Cause Analysis
- Solution