Hi

Since weeks we have on one of our environments the following error by creating 
PREFIXED ACL’s.


Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz1, 
patternType=PREFIXED)`:

        (principal=User:xyz, host=*, operation=READ, permissionType=ALLOW)

        (principal=User:xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)



Error while executing ACL command: 
org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL

java.util.concurrent.ExecutionException: 
org.apache.kafka.common.errors.InvalidRequestException: Failed to create ACL

        at 
org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)

        at 
org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)

        at 
org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)

        at 
org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)

        at 
kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$3(AclCommand.scala:112)

        at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)

        at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)

        at scala.collection.AbstractIterable.foreach(Iterable.scala:920)

        at scala.collection.IterableOps$WithFilter.foreach(Iterable.scala:890)

        at 
kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$1(AclCommand.scala:109)

        at 
kafka.admin.AclCommand$AdminClientService.addAcls(AclCommand.scala:108)

        at kafka.admin.AclCommand$.main(AclCommand.scala:70)

        at kafka.admin.AclCommand.main(AclCommand.scala)

Caused by: org.apache.kafka.common.errors.InvalidRequestException: Failed to 
create ACL

If I try to run it again with the same TOPIC name it shows, that something 
already exists.

Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1, 
patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)
        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)

Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1, 
patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz1, 
patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz1, 
patternType=PREFIXED)`:
        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

But the ACL wasn’t created correctly. Also a deletion of these is not possible.

If we do the same with patternType “LITERAL” it works directly and the ACL is 
also correct created and useable.


Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=xyz2, 
patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)



Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2, 
patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)



Current ACLs for resource `ResourcePattern(resourceType=GROUP, name= xyz2, 
patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)



Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name= xyz2, 
patternType=LITERAL)`:

        (principal=User: xyz, host=*, operation=DESCRIBE, permissionType=ALLOW)

        (principal=User: xyz, host=*, operation=READ, permissionType=ALLOW)

This problem we only have on our integration environment, on production we have 
no problems by creating PREFIXED ACL’s.

On both env’s we have the following version installed.

OS: RHEL7
Confluent-6.1.2
Kafka-2.7
Zookeeper-3.5.9

We think it is an issue in the zookeeper but aren’t able to find the reason.

Thank for help and input
Best regards,
Daniel Marino

Reply via email to