kafka auth_error ai_generated partial

org.apache.kafka.common.errors.DelegationTokenAuthorizationException: Not authorized to access delegation tokens.

ID: kafka/delegation-token-auth-failure

Also available as: JSON · Markdown · 中文
80%Fix Rate
82%Confidence
1Evidence
2024-01-10First Seen

Root Cause

The client lacks the required ACL to manage or use delegation tokens, often due to missing 'CreateToken' or 'DescribeToken' permissions.

generic

中文

客户端缺少管理或使用委派令牌所需的 ACL,通常是由于缺少 'CreateToken' 或 'DescribeToken' 权限。

Official Documentation

https://kafka.apache.org/documentation/#security_delegation_token

Workarounds

  1. 85% success Grant the necessary ACL: `kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:client_user --operation CreateToken --topic '*'`. Then retry the token request. 
    Grant the necessary ACL: `kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:client_user --operation CreateToken --topic '*'`. Then retry the token request.

中文步骤

  1. Grant the necessary ACL: `kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:client_user --operation CreateToken --topic '*'`. Then retry the token request.

Dead Ends

Common approaches that don't work:

  1. 60% fail

    Adding super.users in server.properties grants full access but is insecure and doesn't teach proper ACL management.

  2. 95% fail

    Restarting the broker doesn't change ACLs; the error persists until permissions are correctly configured.