Error when accessing Topic using principal.builder.class

[sreejesh-radhakrishnan-db]

I am using my own user principle class using principal.builder.class (logic as discussed on other thread is to CN=[email protected],O= Test Bank ,DC=test,DC=com use only [email protected]

The kafka cluster is up and running and looking at error logic of custom principal is working:

2022-03-03 08:43:25,857 INFO Principal = User: uklonvd907100.uk.db.com is Denied Operation = Describe from host = 127.0.0.6 on resource = Topic:LITERAL:kafka-cert-topic for request = Metadata with resourceRefCount = 1 (kafka.authorizer.logger) [data-plane-kafka-request-handler-3]

Topic yaml:

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: kafka-cert-topic
labels:
strimzi.io/cluster: my-cluster
spec:
partitions: 2
replicas: 2
config:
retention.ms: 7200000
segment.bytes: 1073741824

user Yaml:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: "uklonvd907100.uk.db.com"
labels:
strimzi.io/cluster: my-cluster
spec:
authentication:
type: tls-external
authorization:
type: simple
acls:
- resource:
type: topic
name: kafka-cert-topic
patternType: literal
operation: Read
host: ""
- resource:
type: topic
name: kafka-cert-topic
patternType: literal
operation: Describe
host: ""
- resource:
type: group
name: my-group
patternType: literal
operation: Read
host: ""
# Example Producer Acls for topic my-topic
- resource:
type: topic
name: kafka-cert-topic
patternType: literal
operation: Write
host: ""
- resource:
type: topic
name: kafka-cert-topic
patternType: literal
operation: Create
host: ""
- resource:
type: topic
name: kafka-cert-topic
patternType: literal
operation: Describe
host: ""

what is going wrong any idea?

[sreejesh-radhakrishnan-db]

Sorry for formatting of yaml. no clue why its all crumble up when i submit.

let me see if I can upload the file directly

[scholzj]

TBH, without the formatting it is hard to say. It is hard to read the YAMLs, but also no way to say if the YAML is correct or not. But you are using TLS client authentication. So the User Operator will expect the usernames to be prefixed with CN=. I..e CN=uklonvd907100.uk.db.com and will configure the ACLs accordingly. So you either need to update your principal builder to give the user the right name with the CN= prefix. Or - as an alternative - you can remove the authentication section from the KafkaUser resource. Then the operator will not assume TLS authentication and will not use the CN= prefix. I think that both options should solve it.

[sreejesh123]

Sorry for the formatting earlier. Trying to upload from my personal laptop,

As suggested I removed the authentication section from the KafkaUser resource: my manifest look like

user.yaml.txt

but still getting same error:

2022-03-03 08:43:25,857 INFO Principal = User: uklonvd907100.uk.db.com is Denied Operation = Describe from host = 127.0.0.6 on resource = Topic:LITERAL:kafka-cert-topic for request = Metadata with resourceRefCount = 1 (kafka.authorizer.logger) [data-plane-kafka-request-handler-3]

[scholzj]

TBH I never use the All keywords. But this:

      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: All
        host: "*"

gives you the rights for my-topic. So rejecting it for kafka-cert-topic is expected in this case.

[sreejesh123]

Hi @scholzj sorry should have pasted the correct log on my first post. I am indeed trying to access my-topic Apologies.

Now I have updated the principal builder to give the user the right name with the CN= prefix ... the yaml used are as attached
topic.yaml.txt
kafka_user.yaml.txt

but still seeing same error:

2022-03-03 13:48:50,633 INFO Principal = User:CN=uklonvd907100.uk.db.com is Denied Operation = Describe from host = 127.0.0.6 on resource = Topic:LITERAL:my-topic for request = Metadata with resourceRefCount = 1 (kafka.authorizer.logger) [data-plane-kafka-request-handler-7]

[scholzj]

Ok. I guess the next step would be to use the Kafka APIs and find out how the ACLs have been setup in Kafka itself.

[sreejesh-radhakrishnan-db]

sorry, not done this in past, any help or any documentation as what need to be done ? ACL is one bit which is holding us from going Live, so any help would be much appreciated

[scholzj]

Not really. The Kafka documentation would be the source for this. There is a Javadoc for the Admin API which can do it. There is also the kafka-acls.sh command line tool which is part of Kafka which has some help. But I'm afraid I do not have any specific guide for it.

[sreejesh-radhakrishnan-db]

@scholzj when I use below configs for broker , type: custom for authentication ... I am assuming this is how the setup need to be while we set custom class,

  principal.builder.class: CustomCNPrincipalBuilder
listeners:
  - name: plain
    port: 9092
    type: loadbalancer
    tls: true
    authentication:
      type: custom
      sasl: false

will the KafkaBrokerConfigurationBuilder.java be using the below code? Just looking I may need to set few listener config to make the broker authentication to work?

https://github.com/strimzi/strimzi-kafka-operator/blob/main/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaBrokerConfigurationBuilder.java#L390-L394

[scholzj]

I don't think you need it -> there is no check for the principal builder class and the authentication type. Plus you said that the principal builder class was working.

[sreejesh-radhakrishnan-db]

@scholzj Let me clear the air - As I am not able to authorize I am trying various options : So far I have tried two config

1. the following setup: Authentication work but Authorization fails (Principal = User:CN=uklonvd907100.uk.db.com is Denied Operation error)

   authorization:
   type: simple
   ........
   principal.builder.class: CustomCNPrincipalBuilder
   listeners:

• name: plain
  port: 9092
  type: loadbalancer
  tls: true
  authentication:
  type: tls

3. the following setup: broker do not come up at all. with a NULL Pointer (which made me ask the previous Q)
   authorization:
   type: simple
   ........
   principal.builder.class: CustomCNPrincipalBuilder
   listeners:
   • name: plain
     port: 9092
     type: loadbalancer
     tls: true
     authentication:
     type: custom
     sasl: false

Error:
java.lang.NullPointerException: null at io.strimzi.operator.cluster.model.KafkaBrokerConfigurationBuilder.configureAuthentication(KafkaBrokerConfigurationBuilder.java:393) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.strimzi.operator.cluster.model.KafkaBrokerConfigurationBuilder.withListeners(KafkaBrokerConfigurationBuilder.java:205) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.strimzi.operator.cluster.model.KafkaCluster.generateBrokerConfiguration(KafkaCluster.java:2062) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.strimzi.operator.cluster.model.KafkaCluster.generateAncillaryConfigMap(KafkaCluster.java:2076) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.strimzi.operator.cluster.operator.assembly.KafkaAssemblyOperator$ReconciliationState.lambda$getKafkaAncillaryCm$122(KafkaAssemblyOperator.java:2763) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl.addListener(FutureImpl.java:196) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.compose(FutureBase.java:84) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.Future.compose(Future.java:199) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.strimzi.operator.cluster.operator.assembly.KafkaAssemblyOperator$ReconciliationState.getKafkaAncillaryCm(KafkaAssemblyOperator.java:2762) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.strimzi.operator.cluster.operator.assembly.KafkaAssemblyOperator$ReconciliationState.kafkaAncillaryCm(KafkaAssemblyOperator.java:2783) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.strimzi.operator.cluster.operator.assembly.KafkaAssemblyOperator.lambda$reconcile$52(KafkaAssemblyOperator.java:325) ~[io.strimzi.cluster-operator-0.28.0.jar:0.28.0] at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:38) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:211) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.Composition$1.onSuccess(Composition.java:62) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:211) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FixedMapping.onSuccess(FixedMapping.java:31) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:211) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.Composition$1.onSuccess(Composition.java:62) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.SucceededFuture.addListener(SucceededFuture.java:88) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:43) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:211) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.CompositeFutureImpl.complete(CompositeFutureImpl.java:172) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.CompositeFutureImpl.lambda$join$3(CompositeFutureImpl.java:109) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl$3.onSuccess(FutureImpl.java:141) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:211) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.Composition$1.onSuccess(Composition.java:62) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.SucceededFuture.addListener(SucceededFuture.java:88) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.Composition.onSuccess(Composition.java:43) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureImpl.tryComplete(FutureImpl.java:211) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.PromiseImpl.tryComplete(PromiseImpl.java:23) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.PromiseImpl.onSuccess(PromiseImpl.java:49) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.vertx.core.impl.future.FutureBase.lambda$emitSuccess$0(FutureBase.java:54) ~[io.vertx.vertx-core-4.2.4.jar:4.2.4] at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [io.netty.netty-common-4.1.71.Final.jar:4.1.71.Final] at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469) [io.netty.netty-common-4.1.71.Final.jar:4.1.71.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:503) [io.netty.netty-transport-4.1.71.Final.jar:4.1.71.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986) [io.netty.netty-common-4.1.71.Final.jar:4.1.71.Final] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [io.netty.netty-common-4.1.71.Final.jar:4.1.71.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty.netty-common-4.1.71.Final.jar:4.1.71.Final] at java.lang.Thread.run(Thread.java:829) [?:?]

[scholzj]

Did you checked the ACLs as I suggested?

[sreejesh-radhakrishnan-db]

Sorry No. but will try that now. I wasn't sure if the config I was using was right. as you pointed out principal builder class was working for me so I will set config back to how it was and check the ACLS.

authorization:
type: simple
........
principal.builder.class: CustomCNPrincipalBuilder

listeners:

name: plain
port: 9092
type: loadbalancer
tls: true
authentication:
type: tls

[sreejesh-radhakrishnan-db]

@scholzj I am trying to run the ACL as you suggested

since I dont have full access, I am trying to run kubectl exec as below

kubectl exec -it my-cluster-kafka-2 -- /opt/kafka/bin/kafka-acls.sh --bootstrap-server my-cluster-kafka-bootstrap:9092 --list --topic my-topic

here my-cluster-kafka-bootstrap:9092 is running a Plain listener. Not sure what I am missing on the command? is there any alternative way to run commands on a pod?.

Getting below error:

Error while executing ACL command: org.apache.kafka.common.errors.TimeoutException: Timed out waiting for a node assignment. Call: describeAcls
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TimeoutException: Timed out waiting for a node assignment. Call: describeAcls

[scholzj]

Ideally you should never run these things from the Kafka pod itself but always from some other pod (started specifically for running the utility). I do not really know the tool -> but I guess you will need to do some setting up to get it working. You still need to authenticate and authorize for this. So to debug the ACLs issue, you probably need to setup your user as a super user so that it can actually list the ACLs in the first place.

[sreejesh-radhakrishnan-db]

@scholzj thanks for the reply. I will try both ways.

your response above - "POD started specifically for running the utility" - we start the container with base image of kafka you meant isnt?

[scholzj]

Yeah, something like this:

kubectl -n kafka run helper-pod -ti --image=quay.io/strimzi/kafka:0.28.0-kafka-3.1.0 --rm=true --restart=Never -- bash

[sreejesh-radhakrishnan-db]

Just noticed - this error on LOG of kafka. does this mean anything more :-)

I have not created user - User:my-cluster-kafka

2022-03-08T11:03:32.757351651Z2022-03-08 11:03:32,757 INFO Principal = User:my-cluster-kafka is Denied Operation = ClusterAction from host = 240.0.26.97 on resource = Cluster:LITERAL:kafka-cluster for request = UpdateMetadata with resourceRefCount = 1 (kafka.authorizer.logger) [control-plane-kafka-request-handler-0]
Info
2022-03-08T11:03:32.771719069Z2022-03-08 11:03:32,771 TRACE [Controller id=1 epoch=1] Received response UpdateMetadataResponseData(errorCode=31) for request UPDATE_METADATA with correlation id 0 sent to broker my-cluster-kafka-2.my-cluster-kafka-brokers.gpm-kafka.svc:9090 (id: 2 rack: null) (state.change.logger) [Controller-1-to-broker-2-send-thread]
Info
2022-03-08T11:03:32.772173104Z2022-03-08 11:03:32,771 ERROR [Controller id=1] Received error CLUSTER_AUTHORIZATION_FAILED in UpdateMetadata response UpdateMetadataResponseData(errorCode=31) from broker 2 (state.change.logger) [controller-event-thread]

[scholzj]

Just noticed - this error on LOG of kafka. does this mean anything more :-)

Well, that suggests that your Principal Builder class does not work properly. This is one of the users used internally by Strimzi -> these need to have the original user names. Otherwise the cluster will not sync and the operators will not work.

[scholzj]

The original username follows the original Principal Builder rules.

[scholzj]

(i.e. in this case I guess CN=my-cluster-kafka)

[sreejesh-radhakrishnan-db]

Strange - I updated the custom class to return CN=my-cluster-kafka , still same error.

2022-03-08T11:56:33.439839177Z2022-03-08 11:56:33,439 INFO Principal = User:CN=my-cluster-kafka is Denied Operation = ClusterAction from host = 240.0.26.2 on resource = Cluster:LITERAL:kafka-cluster for request = UpdateMetadata with resourceRefCount = 1 (kafka.authorizer.logger) [control-plane-kafka-request-handler-0]

Let me check the DefaultKafkaPrincipalBuilder which I think is used if I am not overriding the class with custom one. think I am missing something obvious in my class and strimzi users are not set correctly. One Q - when you call DefaultKafkaPrincipalBuilder (assuming this is class you using in strimzi) do you pass value for either of this KerberosShortNamer , SslPrincipalMapper ?? ..

[scholzj]

I guess my guess was wrong then ... checking the code, it has the organization as well -> CN=my-cluster-kafka,O=io.strimzi might be better.

[sreejesh-radhakrishnan-db]

thank you that explains. I exactly know what to do now. If it fails, will trouble you again (alert in advance)

[sreejesh-radhakrishnan-db]

@scholzj CN=my-cluster-kafka,O=io.strimzi is this principal instance of X500Principal? do you know at all?

[scholzj]

No idea.

[sreejesh-radhakrishnan-db]

I thought creation of user with , and = are not allowed? as regex error comes when we try @scholzj .. just curious

[scholzj]

I thought creation of user with , and = are not allowed? as regex error comes when we try @scholzj .. just curious

You mean when you create a KafkaUser? That is true -> but these are internal users, they do not have a matching KafkaUser resource.

[sreejesh-radhakrishnan-db]

Thanks for all the support @scholzj Made it to work.

if any one is interested : code which worked for ssl make sure this is added to so that strimzi internal acl and functions are not affected.

if (!(principal instanceof X500Principal) || principal == KafkaPrincipal.ANONYMOUS) {
return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, principal.getName());
}

[scholzj]

Great, glad it works.