Strimzi kafka - 非 tls 上的主题授权异常
Strimzi kafka - Topic authorization exception on non-tls
我有一个 Strimzi kafka 集群,使用以下 yaml 部署。
LoadBalancer 在端口 9094 上启用,没有 TLS
我创建了一个 KafkaTopic,当我尝试在端口 9094 上生成主题时,它给出了 TopicAuthorization 异常。
# KafkaDeployment.yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: dataproc-poc #1
spec:
kafka:
version: 3.0.0
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
- name: external
port: 9094
type: loadbalancer
tls: false
authorization:
type: simple
config:
offsets.topic.replication.factor: 3
transaction.state.log.replication.factor: 3
transaction.state.log.min.isr: 2
log.message.format.version: "3.0"
inter.broker.protocol.version: "3.0"
storage:
type: jbod
volumes:
- id: 0
type: persistent-claim
size: 2Gi
deleteClaim: false
logging: #9
type: inline
loggers:
kafka.root.logger.level: "INFO"
zookeeper:
replicas: 3
storage:
type: persistent-claim
size: 2Gi
deleteClaim: false
resources:
requests:
memory: 1Gi
cpu: "1"
limits:
memory: 2Gi
cpu: "1.5"
logging:
type: inline
loggers:
zookeeper.root.logger: "INFO"
entityOperator: #11
topicOperator: {}
userOperator: {}
# kafka-topic.yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: my-topic
labels:
strimzi.io/cluster: dataproc-poc
spec:
partitions: 3
replicas: 3
config:
retention.ms: 7200000
segment.bytes: 1073741824
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: my-topic
labels:
strimzi.io/cluster: dataproc-poc
spec:
authentication:
type: scram-sha-512
authorization:
type: simple
acls:
# Topics and groups used by the HTTP clients through the HTTP Bridge
# Change to match the topics used by your HTTP clients
- resource:
type: group
name: mygroup
operation: Read
- resource:
type: topic
name: my-topic
patternType: literal
operation: Write
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaBridge
metadata:
name: my-topic
spec:
replicas: 1
bootstrapServers: dataproc-poc-kafka-bootstrap:9092
http:
port: 8080
当我尝试使用命令行访问主题时,出现如下错误:
Karans-MacBook-Pro:dataproc-poc karanalang$ $CONFLUENT_HOME/bin/kafka-console-producer --broker-list 34.75.244.133:9094 --topic my-topic
>hi therr
[2022-01-30 21:59:47,985] WARN [Producer clientId=console-producer] Error while fetching metadata with correlation id 3 : {my-topic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2022-01-30 21:59:48,008] ERROR [Producer clientId=console-producer] Topic authorization failed for topics [my-topic] (org.apache.kafka.clients.Metadata)
[2022-01-30 21:59:48,012] ERROR Error when sending message to topic my-topic with key: null, value: 8 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [my-topic]
有什么想法可以解决这个问题吗?
蒂亚!
None 个听众已启用身份验证。所以当你连接到它时,你只是被认证为 ANONYMOUS。而ANONYMOUS没有ACL,所以不允许做任何事情。因此,您要么需要启用身份验证并使用它,要么需要禁用授权。您还应该经常检查代理日志,您会在其中获得包含所有详细信息的完整授权错误,并更清楚地了解问题所在。
我有一个 Strimzi kafka 集群,使用以下 yaml 部署。 LoadBalancer 在端口 9094 上启用,没有 TLS
我创建了一个 KafkaTopic,当我尝试在端口 9094 上生成主题时,它给出了 TopicAuthorization 异常。
# KafkaDeployment.yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: dataproc-poc #1
spec:
kafka:
version: 3.0.0
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
- name: external
port: 9094
type: loadbalancer
tls: false
authorization:
type: simple
config:
offsets.topic.replication.factor: 3
transaction.state.log.replication.factor: 3
transaction.state.log.min.isr: 2
log.message.format.version: "3.0"
inter.broker.protocol.version: "3.0"
storage:
type: jbod
volumes:
- id: 0
type: persistent-claim
size: 2Gi
deleteClaim: false
logging: #9
type: inline
loggers:
kafka.root.logger.level: "INFO"
zookeeper:
replicas: 3
storage:
type: persistent-claim
size: 2Gi
deleteClaim: false
resources:
requests:
memory: 1Gi
cpu: "1"
limits:
memory: 2Gi
cpu: "1.5"
logging:
type: inline
loggers:
zookeeper.root.logger: "INFO"
entityOperator: #11
topicOperator: {}
userOperator: {}
# kafka-topic.yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: my-topic
labels:
strimzi.io/cluster: dataproc-poc
spec:
partitions: 3
replicas: 3
config:
retention.ms: 7200000
segment.bytes: 1073741824
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: my-topic
labels:
strimzi.io/cluster: dataproc-poc
spec:
authentication:
type: scram-sha-512
authorization:
type: simple
acls:
# Topics and groups used by the HTTP clients through the HTTP Bridge
# Change to match the topics used by your HTTP clients
- resource:
type: group
name: mygroup
operation: Read
- resource:
type: topic
name: my-topic
patternType: literal
operation: Write
---
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaBridge
metadata:
name: my-topic
spec:
replicas: 1
bootstrapServers: dataproc-poc-kafka-bootstrap:9092
http:
port: 8080
当我尝试使用命令行访问主题时,出现如下错误:
Karans-MacBook-Pro:dataproc-poc karanalang$ $CONFLUENT_HOME/bin/kafka-console-producer --broker-list 34.75.244.133:9094 --topic my-topic
>hi therr
[2022-01-30 21:59:47,985] WARN [Producer clientId=console-producer] Error while fetching metadata with correlation id 3 : {my-topic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2022-01-30 21:59:48,008] ERROR [Producer clientId=console-producer] Topic authorization failed for topics [my-topic] (org.apache.kafka.clients.Metadata)
[2022-01-30 21:59:48,012] ERROR Error when sending message to topic my-topic with key: null, value: 8 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [my-topic]
有什么想法可以解决这个问题吗? 蒂亚!
None 个听众已启用身份验证。所以当你连接到它时,你只是被认证为 ANONYMOUS。而ANONYMOUS没有ACL,所以不允许做任何事情。因此,您要么需要启用身份验证并使用它,要么需要禁用授权。您还应该经常检查代理日志,您会在其中获得包含所有详细信息的完整授权错误,并更清楚地了解问题所在。