create a scram user using kafka-configs: /bin/kafka-configs --bootstrap-server broker:9092 --alter --add-config 'SCRAM-SHA-256=[password="password"]' --entity-type users --entity-name "testUser"
Make sure the user is created by describing users /bin/kafka-configs --bootstrap-server broker:9092 --describe --entity-type users output: SCRAM credential configs for user-principal 'testUser' are SCRAM-SHA-256=iterations=4096
Try to assign ACL's /bin/kafka-acls --bootstrap-server broker:9092 --add --allow-principal User:testUser --topic * --producer output:
Adding ACLs for resource
ResourcePattern(resourceType=TOPIC, name=[, patternType=LITERAL):(principal=User:testUser, host=*, operation=DESCRIBE, permissionType=ALLOW)
(principal=User:testUser, host=*, operation=WRITE, permissionType=ALLOW)
(principal=User:testUser, host=*, operation=CREATE, permissionType=ALLOW)
Error while executing ACL command: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured.
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured.
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073)
at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:165)
at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$3(AclCommand.scala:115)
at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:575)
at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:573)
at scala.collection.AbstractIterable.foreach(Iterable.scala:933)
at scala.collection.IterableOps$WithFilter.foreach(Iterable.scala:903)
at kafka.admin.AclCommand$AdminClientService.$anonfun$addAcls$1(AclCommand.scala:112)
at kafka.admin.AclCommand$AdminClientService.addAcls(AclCommand.scala:111)
at kafka.admin.AclCommand$.main(AclCommand.scala:73)
at kafka.admin.AclCommand.main(AclCommand.scala)
Caused by: org.apache.kafka.common.errors.SecurityDisabledException: No Authorizer is configured.
I tried looking online with google and even chatGPT but it suggests that the authorizer is not available, this is the broker config:
- inter.broker.listener.name=BROKER
- controller.listener.names=CONTROLLER
- listener.security.protocol.map=BROKER:SSL,SSL:SSL,INTERNAL:PLAINTEXT,CONTROLLER:SSL,SSL:SSL
- sasl.enabled.mechanisms=SCRAM-SHA-256
- sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
- sasl.mechanism.controller.protocol=PLAIN
- authorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer
- super.users=User:ANONYMOUS
What is strange is that confluent says to get the brokers to communicate with scram users that you have to create the scram user before starting the brokers which I do with the following user:
- /bin/kafka-storage format -c /etc/kafka/kraft/broker.properties --cluster-id uuid --add-scram 'SCRAM-SHA-256=[name=scramUser,password=scramPass]' --ignore-formatted
The above command executes but the user is not listed when I list the users and also its not using the scram user because ANONYMOUS is being used to action the ACL's commands according to the logs:
- DEBUG Principal = User:ANONYMOUS is Allowed operation = DESCRIBE from host = * on resource = Cluster:LITERAL:kafka-cluster for request = DescribeAcls with resourceRefCount = 1 based on rule SuperUser (kafka.authorizer.logger)
To summarize:
- Why am I not able to set ACLs on users and getting the "no authorizer is configured"
- Why is Kafka not authenticating with brokers using the scram user created during cluster build.
I have tried searching online and following documentation from Apache and Confluent for the Kraft setup.
Tried to create multiple scram users before broker start up and after to alter/add ACL's but it keeps using the super user instead of the scram user that is being created. Kafka Kraft version: 3.6 Confluent platform version: confluent-community-2.1