[
https://issues.apache.org/jira/browse/KAFKA-5994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16739407#comment-16739407
]
ASF GitHub Bot commented on KAFKA-5994:
---------------------------------------
omkreddy commented on pull request #5021: KAFKA-5994: Log
ClusterAuthorizationException for all ClusterAction requests
URL: https://github.com/apache/kafka/pull/5021
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Improve transparency of broker user ACL misconfigurations
> ---------------------------------------------------------
>
> Key: KAFKA-5994
> URL: https://issues.apache.org/jira/browse/KAFKA-5994
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.10.2.1
> Reporter: Dustin Cote
> Priority: Major
> Fix For: 2.2.0
>
>
> When the user for inter broker communication is not a super user and ACLs are
> configured with allow.everyone.if.no.acl.found=false, the cluster will not
> serve data. This is extremely confusing to debug because there is no security
> negotiation problem or indication of an error other than no data can make it
> in or out of the broker. If one knew to look in the authorizer log, it would
> be more clear, but that didn't make it into my workflow at least. Here's an
> example of a problematic debugging scenario
> SASL_SSL, SSL, SASL_PLAINTEXT ports on the brokers
> SASL user specified in `super.users`
> SSL specified as the inter broker protocol
> The only way I could figure out ACLs were an issue without gleaning it
> through configuration inspection was that controlled shutdown indicated that
> a cluster action had failed.
> It would be good if we could be more transparent about the failure here.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
