kafka auth_error ai_generated partial

org.apache.kafka.common.errors.DelegationTokenAuthorizationException:未授权访问委派令牌。

org.apache.kafka.common.errors.DelegationTokenAuthorizationException: Not authorized to access delegation tokens.

ID: kafka/delegation-token-auth-failure

其他格式: JSON · Markdown 中文 · English
80%修复率
82%置信度
1证据数
2024-01-10首次发现

根因分析

客户端缺少管理或使用委派令牌所需的 ACL,通常是由于缺少 'CreateToken' 或 'DescribeToken' 权限。

English

The client lacks the required ACL to manage or use delegation tokens, often due to missing 'CreateToken' or 'DescribeToken' permissions.

generic

官方文档

https://kafka.apache.org/documentation/#security_delegation_token

解决方案

  1. Grant the necessary ACL: `kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:client_user --operation CreateToken --topic '*'`. Then retry the token request.

无效尝试

常见但无效的做法:

  1. 60% 失败

    Adding super.users in server.properties grants full access but is insecure and doesn't teach proper ACL management.

  2. 95% 失败

    Restarting the broker doesn't change ACLs; the error persists until permissions are correctly configured.