kafka
auth_error
ai_generated
true
org.apache.kafka.common.errors.TransactionalIdAuthorizationException: Transactional ID authorization failed
ID: kafka/transactional-id-authorization-failed
90%Fix Rate
87%Confidence
1Evidence
2023-11-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| 2.8.0 | active | — | — | — |
| 3.2.0 | active | — | — | — |
| 3.4.0 | active | — | — | — |
Root Cause
Producer's transactional.id is not authorized by broker ACLs for the WRITE operation on the transactional ID resource.
generic中文
生产者的事务ID未被代理ACL授权对事务ID资源执行WRITE操作。
Official Documentation
https://kafka.apache.org/documentation/#security_authzWorkarounds
-
95% success Add ACL for the transactional ID with WRITE permission for the producer principal using kafka-acls.sh.
Add ACL for the transactional ID with WRITE permission for the producer principal using kafka-acls.sh.
-
90% success Use kafka-acls.sh to grant DESCRIBE and WRITE on the transactional ID resource.
Use kafka-acls.sh to grant DESCRIBE and WRITE on the transactional ID resource.
-
85% success If using Kafka 3.0+, enable 'authorizer.class.name' with 'kafka.security.authorizer.AclAuthorizer' and add ACLs via AdminClient API.
If using Kafka 3.0+, enable 'authorizer.class.name' with 'kafka.security.authorizer.AclAuthorizer' and add ACLs via AdminClient API.
中文步骤
使用 kafka-acls.sh 为事务ID添加WRITE权限,授予生产者主体。
使用 kafka-acls.sh 在事务ID资源上授予DESCRIBE和WRITE权限。
如果使用Kafka 3.0+,启用 'authorizer.class.name' 为 'kafka.security.authorizer.AclAuthorizer',并通过AdminClient API添加ACL。
Dead Ends
Common approaches that don't work:
-
95% fail
Disabling ACLs globally bypasses security but introduces vulnerability; does not fix authorization logic.
-
80% fail
Super users bypass ACLs but require broker restart; not a scalable solution for multiple producers.
-
90% fail
New transactional ID still needs ACL authorization; error persists unless ACLs are updated.