kafka
auth_error
ai_generated
true
org.apache.kafka.common.errors.TransactionalIdAuthorizationException: 事务ID授权失败
org.apache.kafka.common.errors.TransactionalIdAuthorizationException: Transactional ID authorization failed
ID: kafka/transactional-id-authorization-failed
90%修复率
87%置信度
1证据数
2023-11-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| 2.8.0 | active | — | — | — |
| 3.2.0 | active | — | — | — |
| 3.4.0 | active | — | — | — |
根因分析
生产者的事务ID未被代理ACL授权对事务ID资源执行WRITE操作。
English
Producer's transactional.id is not authorized by broker ACLs for the WRITE operation on the transactional ID resource.
官方文档
https://kafka.apache.org/documentation/#security_authz解决方案
-
使用 kafka-acls.sh 为事务ID添加WRITE权限,授予生产者主体。
-
使用 kafka-acls.sh 在事务ID资源上授予DESCRIBE和WRITE权限。
-
如果使用Kafka 3.0+,启用 'authorizer.class.name' 为 'kafka.security.authorizer.AclAuthorizer',并通过AdminClient API添加ACL。
无效尝试
常见但无效的做法:
-
95% 失败
Disabling ACLs globally bypasses security but introduces vulnerability; does not fix authorization logic.
-
80% 失败
Super users bypass ACLs but require broker restart; not a scalable solution for multiple producers.
-
90% 失败
New transactional ID still needs ACL authorization; error persists unless ACLs are updated.