ACL enabled check results in an error #3820
Description
Issue submitter TODO list
- I've looked up my issue in FAQ
- I've searched for an already existing issues here
- I've tried running
master-labeled docker image and the issue still persists there - I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
After upgrading from version 0.6.2 to 0.7.0 I see in the KafkaUI log-file strange repeated massages (that have not been before):
org.apache.kafka.common.errors.UnknownServerException: The server experienced an unexpected error when processing the request.
2023-05-15 11:14:48,017 DEBUG [parallel-3] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: KAFKATS_TEST
2023-05-15 11:15:17,964 DEBUG [parallel-4] c.p.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: KAFKATS_TEST
2023-05-15 11:15:17,971 WARN [parallel-2] c.p.k.u.s.ReactiveAdminClient: Error checking if security enabled
org.apache.kafka.common.errors.UnknownServerException: The server experienced an unexpected error when processing the request.
2023-05-15 11:15:17,992 DEBUG [parallel-3] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: KAFKATS_TEST
2023-05-15 11:15:47,964 DEBUG [parallel-4] c.p.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: KAFKATS_TEST
2023-05-15 11:15:47,972 WARN [parallel-2] c.p.k.u.s.ReactiveAdminClient: Error checking if security enabled
org.apache.kafka.common.errors.UnknownServerException: The server experienced an unexpected error when processing the request.
2023-05-15 11:15:47,990 DEBUG [parallel-3] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: KAFKATS_TEST
2023-05-15 11:16:17,964 DEBUG [parallel-4] c.p.k.u.s.ClustersStatisticsScheduler: Start getting metrics for kafkaCluster: KAFKATS_TEST
2023-05-15 11:16:17,972 WARN [parallel-2] c.p.k.u.s.ReactiveAdminClient: Error checking if security enabled
org.apache.kafka.common.errors.UnknownServerException: The server experienced an unexpected error when processing the request.
2023-05-15 11:16:17,992 DEBUG [parallel-3] c.p.k.u.s.ClustersStatisticsScheduler: Metrics updated for cluster: KAFKATS_TEST
Kafka 'server.log' contains a synchronous repeated messages:
[2023-05-15 11:15:47,971] ERROR (getting) acls is not supported by Ranger for Kafka (org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer)
[2023-05-15 11:15:47,971] ERROR [KafkaApi-1] Unexpected error handling request RequestHeader(apiKey=DESCRIBE_ACLS, apiVersion=2, clientId=kafka-ui-admin-1684138400-1, correlationId=49) -- DescribeAclsRequestData(resourceTypeFilter=1, resourceNameFilter=null, patternTypeFilter=1, principalFilter=null, hostFilter=null, operation=1, permissionType=1) with context RequestContext(header=RequestHeader(apiKey=DESCRIBE_ACLS, apiVersion=2, clientId=kafka-ui-admin-1684138400-1, correlationId=49), connectionId='10.120.152.240:9093-10.120.152.240:43102-474', clientAddress=/10.120.152.240, principal=User:kafkats, listenerName=ListenerName(SASL_SSL), securityProtocol=SASL_SSL, clientInformation=ClientInformation(softwareName=apache-kafka-java, softwareVersion=3.3.1), fromPrivilegedListener=true, principalSerde=Optional[org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder@6818625]) (kafka.server.KafkaApis)
java.lang.UnsupportedOperationException: (getting) acls is not supported by Ranger for Kafka
at org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer.acls(RangerKafkaAuthorizer.java:334)
at org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer.acls(RangerKafkaAuthorizer.java:185)
at kafka.server.AclApis.handleDescribeAcls(AclApis.scala:70)
at kafka.server.KafkaApis.handleDescribeAcls(KafkaApis.scala:2574)
at kafka.server.KafkaApis.handle(KafkaApis.scala:198)
at kafka.server.KafkaRequestHandler.run(KafkaRequestHandler.scala:75)
at java.lang.Thread.run(Thread.java:750)
Expected behavior
the messages "Error checking if security enabled" are absent in the KafakUI log and a synchronous messages 'acls is not supported by Ranger for Kafka' are absent in the Kafka 'server.log'
Your installation details
KafkaUI - fdd9ad9 11.05.2023, 17:02:15
KafkaUI startup script with configuration parameters:
export DYNAMIC_CONFIG_ENABLED='false'
export SECURITY_BASIC_ENABLED='false'
export SERVER_PORT='8080'
export SERVER_SSL_ENABLED='true'
export SERVER_SSL_KEY_STORE_TYPE='JKS'
export SERVER_SSL_KEY_STORE='/disk01/kafka-ui-api-v0.7.0/keystore.jks'
export SERVER_SSL_KEY_STORE_PASSWORD='***'
export AUTH_TYPE='LDAP'
export SPRING_LDAP_URLS='ldaps://.**..com:3269 ldaps://.**..com:3269'
export SPRING_LDAP_BASE='DC=,DC=*,DC=com'
export SPRING_LDAP_USER_FILTER_SEARCH_BASE='DC=,DC=,DC=com'
export SPRING_LDAP_USER_FILTER_SEARCH_FILTER='(&(sAMAccountName={0})(|(memberOf=CN=kafka-admin,OU=Service,DC=**,DC=,DC=com)(memberOf=CN=admin,OU=Service,DC=,DC=*,DC=com)))'
export SPRING_LDAP_ADMIN_USER='CN=ldap-user,OU=Service,DC=,DC=,DC=com'
export SPRING_LDAP_ADMIN_PASSWORD='**'
export KAFKA_CLUSTERS_0_METRICS_PORT='9094'
export KAFKA_CLUSTERS_0_METRICS_SSL='false'
export KAFKA_CLUSTERS_0_METRICS_TYPE='false'
export KAFKA_CLUSTERS_0_NAME='KAFKATS_TEST'
export KAFKA_CLUSTERS_0_READONLY='false'
export KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS='kafka-tst..*.com:9093'
export KAFKA_CLUSTERS_0_ZOOKEEPER='kafka-tst..*.com.com:2182'
export KAFKA_CLUSTERS_0_SSL_TRUSTSTORELOCATION='/disk01/kafka-ui-api-v0.7.0/keystore.jks'
export KAFKA_CLUSTERS_0_SSL_TRUSTSTOREPASSWORD='***'
export KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL='SASL_SSL'
export KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM='GSSAPI'
export KAFKA_CLUSTERS_0_PROPERTIES_SASL_KERBEROS_SERVICE_NAME='kafkats'
export KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG='com.sun.security.auth.module.Krb5LoginModule required serviceName="kafkats" useKeyTab=true storeKey=true keyTab="/disk01/kafka-ui-api-v0.7.0/kafka-tst.keytab" principal="kafkats/kafka-tst..*.com@..COM";'
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_TYPE='JKS'
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_LOCATION='/disk01/kafka-ui-api-v0.7.0/keystore.jks'
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEYSTORE_PASSWORD=''
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_KEY_PASSWORD=''
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_TYPE='JKS'
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_LOCATION='/disk01/kafka-ui-api-v0.7.0/keystore.jks'
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_TRUSTSTORE_PASSWORD='**'
export KAFKA_CLUSTERS_0_PROPERTIES_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=''
export KAFKA_CLUSTERS_0_SCHEMAREGISTRY='https://kafka-tst.**.*.com:8081'
export KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_KEYSTORELOCATION='/disk01/kafka-ui-api-v0.7.0/keystore.jks'
export KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_KEYSTOREPASSWORD=''
export KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_KEYPASSWORD=''
export KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_TRUSTSTORELOCATION='/disk01/kafka-ui-api-v0.7.0/keystore.jks'
export KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_TRUSTSTOREPASSWORD='***'
export JAVA_OPTS=" -Dzookeeper.client.secure=false -Dzookeeper.ssl.client.enable=false -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStore=/disk01/kafka-ui-api-v0.7.0/keystore.jks -Djavax.net.ssl.keyStorePassword=*** -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=/disk01/kafka-ui-api-v0.7.0/keystore.jks -Djavax.net.ssl.trustStorePassword==***"
export JAVA_OPTS="$JAVA_OPTS -Xms2g -Xmx4g -Djava.awt.headless=true --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED"
cd /disk01/kafka-ui-api-v0.7.0
nohup /opt/java/jdk-17.0.3.1/bin/java $JAVA_OPTS -jar /disk01/kafka-ui-api-v0.7.0/kafka-ui-api-v0.7.0.jar>/disk01/kafka-ui-api-v0.7.0/kafkaui-console.log 2>&1 &
=====
Kafka - confluent-community-7.1.0 with 'ranger-kafka-plugin' enabled
broker.id=1
listeners=SASL_SSL://kafka-tst..*.com:9093
advertised.listeners=SASL_SSL://kafka-tst..*.com:9093
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=/disk01/kafkats/kafka-logs
num.partitions=1
num.recovery.threads.per.data.dir=1
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
log.retention.hours=168
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connect=kafka-tst.**.*.com:2182
zookeeper.connection.timeout.ms=18000
group.initial.rebalance.delay.ms=0
sasl.kerberos.service.name=kafkats
zookeeper.ssl.client.enable=true
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.truststore.location=/disk01/kafkats/etc/truststore.jks
zookeeper.ssl.truststore.password=***
inter.broker.listener.name=SASL_SSL
ssl.client.auth=required
ssl.keystore.location=/disk01/kafkats/etc/keystore.jks
ssl.keystore.password=***
authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer
ssl.protokol=TLS
auto.create.topics.enable=false
auto.leader.rebalance.enable=true
delete.topic.enable=true
kerberos.auth.enable=true
leader.imbalance.check.interval.seconds=300
leader.imbalance.per.broker.percentage=10
message.max.bytes=5242880
num.replica.fetchers=14
replica.fetch.max.bytes=5242880
replica.lag.time.max.ms=10000
zookeeper.session.timeout.ms=60000
sasl.mechanism.inter.broker.protokol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.mechanism=GSSAPI
Steps to reproduce
As far as I understand, the problem is that we do not use the built-in Kafka ACL mechanism for restricting access to Kafka-topics, but we use the Rager-Kafka-Plugin.
Therefore, we need the ability in KafkaUI to disable the functionality for Kafka ACL discovery from the Kafka server.
Screenshots
No response
Logs
No response
Additional context
No response