Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ISSUE-3820: ACL enablement check fixes: #4034

Merged
merged 6 commits into from
Aug 1, 2023
Merged

ISSUE-3820: ACL enablement check fixes: #4034

merged 6 commits into from
Aug 1, 2023

Conversation

iliax
Copy link
Contributor

@iliax iliax commented Jul 12, 2023

ACL enablement check fixes:

  1. Setting 1 hour ConfigRelatedInfo update duration
  2. logging ACL checking on debug level
  • Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

1. Setting 1 hour ConfigRelatedInfo update duration
2. logging ACL checking on debug level
@github-actions github-actions bot added the status/triage Issues pending maintainers triage label Jul 12, 2023
@iliax iliax linked an issue Jul 12, 2023 that may be closed by this pull request
4 tasks
@iliax iliax marked this pull request as ready for review July 12, 2023 12:12
@iliax iliax requested a review from a team as a code owner July 12, 2023 12:12
@joelpavlovsky
Copy link

Hey, what is the status here:) ?

@Haarolean
Copy link
Contributor

Hey, what is the status here:) ?

#3820 (comment)

@Haarolean Haarolean added type/bug Something isn't working scope/backend and removed status/triage Issues pending maintainers triage labels Jul 24, 2023
@Haarolean Haarolean enabled auto-merge (squash) July 24, 2023 07:30
@Haarolean Haarolean merged commit b2c3fcc into master Aug 1, 2023
@Haarolean Haarolean deleted the ISSUE_3820 branch August 1, 2023 12:42
@mvassli
Copy link

mvassli commented Sep 20, 2023

@Haarolean testet today with master image tag. Same issue as before.

2023-09-20 06:27:04,177 INFO  [parallel-1] o.a.k.c.s.a.AbstractLogin: Successfully logged in.
2023-09-20 06:27:04,263 INFO  [parallel-1] o.a.k.c.u.AppInfoParser: Kafka version: 3.5.0
2023-09-22023-09-20 06:27:04,177 INFO  [parallel-1] o.a.k.c.s.a.AbstractLogin: Successfully logged in.
2023-09-20 06:27:04,263 INFO  [parallel-1] o.a.k.c.u.AppInfoParser: Kafka version: 3.5.0
2023-09-20 06:27:04,264 INFO  [parallel-1] o.a.k.c.u.AppInfoParser: Kafka commitId: c97b88d5db4de28d
2023-09-20 06:27:04,264 INFO  [parallel-1] o.a.k.c.u.AppInfoParser: Kafka startTimeMs: 1695191224263
2023-09-20 06:27:06,283 DEBUG [parallel-1] c.p.k.u.s.ReactiveAdminClient: Error checking if security enabled
org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=2, connectionId=10.231.182.212:9092-10.99.75.89:41334-492, session=Session(User:dev,10.99.75.89/10.99.75.89), listenerName=ListenerName(SASL_SSL), securityProtocol=SASL_SSL, buffer=null) is not authorized.
2023-09-20 06:27:06,618 DEBUG [parallel-1] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: Dev0 06:27:04,264 INFO  [parallel-1] o.a.k.c.u.AppInfoParser: Kafka commitId: c97b88d5db4de28d
2023-09-20 06:27:04,264 INFO  [parallel-1] o.a.k.c.u.AppInfoParser: Kafka startTimeMs: 1695191224263
2023-09-20 06:27:06,283 DEBUG [parallel-1] c.p.k.u.s.ReactiveAdminClient: Error checking if security enabled
org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=2, connectionId=10.231.182.212:9092-10.99.75.89:41334-492, session=Session(User:dev,10.99.75.89/10.99.75.89), listenerName=ListenerName(SASL_SSL), securityProtocol=SASL_SSL, buffer=null) is not authorized.
2023-09-20 06:27:06,618 DEBUG [parallel-1] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: Dev

@metaruslan
Copy link

This only fixes the error on the kafka ui side (i.e. making it DEBUG), but kafka itself still pollutes the logs with an error message:

kafka-1 | [2024-10-22 13:35:55,159] ERROR [KafkaApi-0] Unexpected error handling request RequestHeader(apiKey=DESCRIBE_ACLS, apiVersion=3, clientId=kafka-ui-admin-1729604154-1, correlationId=5, headerVersion=2) -- DescribeAclsRequestData(resourceTypeFilter=1, resourceNameFilter=null, patternTypeFilter=1, principalFilter=null, hostFilter=null, operation=1, permissionType=1) with context RequestContext(header=RequestHeader(apiKey=DESCRIBE_ACLS, apiVersion=3, clientId=kafka-ui-admin-1729604154-1, correlationId=5, headerVersion=2), connectionId='172.19.0.2:19092-172.19.0.4:33086-0', clientAddress=/172.19.0.4, principal=OAuthKafkaPrincipal(User:service-account-team-a-client, groups: null, session: 516380415, token: eyJhrz3Q), listenerName=ListenerName(SECURED), securityProtocol=SASL_PLAINTEXT, clientInformation=ClientInformation(softwareName=apache-kafka-java, softwareVersion=3.5.0), fromPrivilegedListener=false, principalSerde=Optional[io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder@43175279]) (kafka.server.KafkaApis)
kafka-1 | org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=7, connectionId=172.19.0.2:19092-172.19.0.4:33086-0, session=Session(OAuthKafkaPrincipal(User:service-account-team-a-client, groups: null, session: 516380415, token: eyJh
rz3Q),/172.19.0.4), listenerName=ListenerName(SECURED), securityProtocol=SASL_PLAINTEXT, buffer=null, envelope=None) is not authorized.

Is there a workaround to disable this kafka ui check or can a configuration be added, so that kafka ui doesn't do this check in the first place?

@Haarolean
Copy link
Contributor

This repo is not maintained (#4255), please report the issues at https://github.com/kafbat/kafka-ui

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
scope/backend type/bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ACL enabled check results in an error
5 participants