[jira] [Commented] (KAFKA-5424) KafkaConsumer.listTopics() throws Exception when unauthorized topics exist in cluster

Sat, 10 Jun 2017 10:53:54 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-5424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16045634#comment-16045634
 ] 

Mickael Maison commented on KAFKA-5424:
---------------------------------------

I was able to reproduce when running 0.10.0.0 for the broker but it probably 
happens on all version pre 0.10.1.0 because of 
https://issues.apache.org/jira/browse/KAFKA-3396

Using the default server.properties, add:
{noformat}
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
{noformat}

Create a topic, add a deny all ACL: 
{noformat}
./kafka-acls.sh --topic mytopic --deny-host * --authorizer-properties 
zookeeper.connect=localhost --add --deny-principal User:*
{noformat}

Calling listTopics() yields:
{noformat}
Exception in thread "main" 
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to 
access topics: [mytopic]
{noformat}

No sure what's the best way to fix that. Maybe we could have a flag indicating 
we're trying to list topics and if set ignore {{unauthorizedTopics}} in 
{{getTopicMetadata()}}.

> KafkaConsumer.listTopics() throws Exception when unauthorized topics exist in 
> cluster
> -------------------------------------------------------------------------------------
>
>                 Key: KAFKA-5424
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5424
>             Project: Kafka
>          Issue Type: Bug
>          Components: consumer
>            Reporter: Mike Fagan
>
> KafkaConsumer.listTopics() internally calls Fetcher. 
> getAllTopicMetadata(timeout) and this method will throw a 
> TopicAuthorizationException when there exists an unauthorized topic in the 
> cluster. 
> This behavior runs counter to the API docs and makes listTopics() unusable 
> except in the case of the consumer is authorized for every single topic in 
> the cluster. 
> A potentially better approach is to have Fetcher implement a new method 
> getAuthorizedTopicMetadata(timeout)  and have KafkaConsumer call this method 
> instead of getAllTopicMetadata(timeout) from within KafkaConsumer.listTopics()



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to