{ "id": "kafka/transactional-id-authorization-failed", "signature": "org.apache.kafka.common.errors.TransactionalIdAuthorizationException: Transactional ID authorization failed", "signature_zh": "org.apache.kafka.common.errors.TransactionalIdAuthorizationException: 事务ID授权失败", "regex": "TransactionalIdAuthorizationException.*authorization failed", "domain": "kafka", "category": "auth_error", "subcategory": null, "root_cause": "Producer's transactional.id is not authorized by broker ACLs for the WRITE operation on the transactional ID resource.", "root_cause_type": "generic", "root_cause_zh": "生产者的事务ID未被代理ACL授权对事务ID资源执行WRITE操作。", "versions": [ { "version": "2.8.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "3.2.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "3.4.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Disabling ACLs globally bypasses security but introduces vulnerability; does not fix authorization logic.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "", "why_fails": "Super users bypass ACLs but require broker restart; not a scalable solution for multiple producers.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "New transactional ID still needs ACL authorization; error persists unless ACLs are updated.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Add ACL for the transactional ID with WRITE permission for the producer principal using kafka-acls.sh.", "success_rate": 0.95, "how": "Add ACL for the transactional ID with WRITE permission for the producer principal using kafka-acls.sh.", "condition": "", "sources": [] }, { "action": "Use kafka-acls.sh to grant DESCRIBE and WRITE on the transactional ID resource.", "success_rate": 0.9, "how": "Use kafka-acls.sh to grant DESCRIBE and WRITE on the transactional ID resource.", "condition": "", "sources": [] }, { "action": "If using Kafka 3.0+, enable 'authorizer.class.name' with 'kafka.security.authorizer.AclAuthorizer' and add ACLs via AdminClient API.", "success_rate": 0.85, "how": "If using Kafka 3.0+, enable 'authorizer.class.name' with 'kafka.security.authorizer.AclAuthorizer' and add ACLs via AdminClient API.", "condition": "", "sources": [] } ], "workarounds_zh": [ "使用 kafka-acls.sh 为事务ID添加WRITE权限,授予生产者主体。", "使用 kafka-acls.sh 在事务ID资源上授予DESCRIBE和WRITE权限。", "如果使用Kafka 3.0+,启用 'authorizer.class.name' 为 'kafka.security.authorizer.AclAuthorizer',并通过AdminClient API添加ACL。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://kafka.apache.org/documentation/#security_authz", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.87, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2023-11-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }