kafkactl icon indicating copy to clipboard operation
kafkactl copied to clipboard
verified publisher icon deviceinsight

Non-zero exit code for authorization errors

Open denniseffing opened this issue 5 months ago • 3 comments

Hi, we just encountered an issue if kafkactl consume is used with valid user credentials but the user is not authorized to read the configured topic.

Actual behavior kafkactl consume logs the authorization failure and exits with exit code 0

Expected behavior kafkactl consume logs the authorization failure and exits with non-zero exit code

Is there a configuration setting I'm missing or is this just not working as I would expect it to?

denniseffing avatar Oct 07 '25 10:10 denniseffing

Hey @denniseffing,

this IT should actually cover that an error is thrown.

can you share some details? kafka version, acl configuration, logs?

d-rk avatar Oct 07 '25 11:10 d-rk

Hi, sorry, forgot the most obvious information.

The first time we observed the error was while running one of our Kafka topic backup jobs in a CI pipeline. The CI pipeline uses the following version:

cmd.info{version:"v5.12.1", buildTime:"2025-08-27T06:22:48Z", gitCommit:"34f2d4d", goVersion:"go1.24.4", compiler:"gc", platform:"linux/amd64"}

Afterwards I reproduced the issue locally with this version:

cmd.info{version:"v5.11.1", buildTime:"2025-07-28T13:50:04Z", gitCommit:"b35f40e", goVersion:"go1.24.4", compiler:"gc", platform:"darwin/arm64"}

The error occurred because the user permissions were incorrectly configured. The user only had write permissions for the configured topic.

Here are logs for the operation, redacted to not leak information about our system:

[kafkactl] 2025/10/07 12:50:29 Using config file: /Users/effing/.config/kafkactl/config.yml
the configuration of the current context is now managed in a separate file: /Users/effing/.config/kafkactl/current-context.yml
the parameter “current-context” in config.yml is no longer used. Please remove it to avoid confusion.
[kafkactl] 2025/10/07 12:50:29 generated default config at /Users/effing/.config/kafkactl/current-context.yml
[kafkactl] 2025/10/07 12:50:29 Using config file: /Users/effing/.config/kafkactl/current-context.yml
[kafkactl] 2025/10/07 12:50:29 Assuming kafkaVersion: 2.5.0
[kafkactl] 2025/10/07 12:50:29 using default admin request timeout: 3s
[kafkactl] 2025/10/07 12:50:29 TLS is enabled.
[kafkactl] 2025/10/07 12:50:29 SASL is enabled (username = REDACTED)
[kafkactl] 2025/10/07 12:50:29 using isolationLevel=1
[sarama  ] 2025/10/07 12:50:29 Initializing new client
[sarama  ] 2025/10/07 12:50:29 client/metadata fetching metadata for all topics from broker REDACTED
[sarama  ] 2025/10/07 12:50:30 SASL authentication succeeded
[sarama  ] 2025/10/07 12:50:30 Connected to broker at REDACTED (unregistered)
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #5 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #10 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #8 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #2 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #12 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #9 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #11 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #1 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #4 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #6 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #7 at REDACTED
[sarama  ] 2025/10/07 12:50:30 client/brokers registered new broker #3 at REDACTED
[sarama  ] 2025/10/07 12:50:30 Successfully initialized new client
[kafkactl] 2025/10/07 12:50:30 Start consuming topic: REDACTED
[sarama  ] 2025/10/07 12:50:33 SASL authentication succeeded
[sarama  ] 2025/10/07 12:50:33 Connected to broker at REDACTED (registered as #1)
[sarama  ] 2025/10/07 12:50:33 SASL authentication succeeded
[sarama  ] 2025/10/07 12:50:33 Connected to broker at REDACTED (registered as #12)
[sarama  ] 2025/10/07 12:50:33 SASL authentication succeeded
[sarama  ] 2025/10/07 12:50:33 Connected to broker at REDACTED (registered as #6)
[kafkactl] 2025/10/07 12:50:33 consumer will consume offset 0 to 109 on partition 0
[kafkactl] 2025/10/07 12:50:33 consumer will consume offset 0 to 119 on partition 2
[kafkactl] 2025/10/07 12:50:33 consumer will consume offset 0 to 130 on partition 1
[kafkactl] 2025/10/07 12:50:33 Start consuming partition 0 from offset 0 to 109
[kafkactl] 2025/10/07 12:50:33 Start consuming partition 2 from offset 0 to 119
[kafkactl] 2025/10/07 12:50:34 Start consuming partition 1 from offset 0 to 130
[kafkactl] 2025/10/07 12:50:34 waiting for partition consumers
[sarama  ] 2025/10/07 12:50:34 consumer/broker/1 accumulated 1 new subscriptions
[sarama  ] 2025/10/07 12:50:34 consumer/broker/1 added subscription to REDACTED/0
[sarama  ] 2025/10/07 12:50:34 consumer/broker/6 accumulated 1 new subscriptions
[sarama  ] 2025/10/07 12:50:34 consumer/broker/6 added subscription to REDACTED/2
[sarama  ] 2025/10/07 12:50:34 kafka: error while consuming REDACTED/0: kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:34 consumer/broker/1 abandoned subscription to REDACTED/0 because kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:34 consumer/broker/12 accumulated 1 new subscriptions
[sarama  ] 2025/10/07 12:50:34 consumer/broker/12 added subscription to REDACTED/1
[sarama  ] 2025/10/07 12:50:34 kafka: error while consuming REDACTED/2: kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:34 consumer/broker/6 abandoned subscription to REDACTED/2 because kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:34 kafka: error while consuming REDACTED/1: kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:34 consumer/broker/12 abandoned subscription to REDACTED/1 because kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:36 client/metadata fetching metadata for [REDACTED] from broker REDACTED
[sarama  ] 2025/10/07 12:50:36 SASL authentication succeeded
[sarama  ] 2025/10/07 12:50:36 Connected to broker at REDACTED (registered as #5)
[sarama  ] 2025/10/07 12:50:36 client/metadata fetching metadata for [REDACTED] from broker REDACTED
[sarama  ] 2025/10/07 12:50:36 client/metadata fetching metadata for [REDACTED] from broker REDACTED
[sarama  ] 2025/10/07 12:50:36 consumer/broker/1 accumulated 1 new subscriptions
[sarama  ] 2025/10/07 12:50:36 consumer/broker/1 added subscription to REDACTED/0
[sarama  ] 2025/10/07 12:50:36 kafka: error while consuming REDACTED/0: kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:36 consumer/broker/1 abandoned subscription to REDACTED/0 because kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:37 SASL authentication succeeded
[sarama  ] 2025/10/07 12:50:37 Connected to broker at REDACTED (registered as #2)
[sarama  ] 2025/10/07 12:50:37 consumer/broker/6 accumulated 1 new subscriptions
[sarama  ] 2025/10/07 12:50:37 consumer/broker/6 added subscription to REDACTED/2
[sarama  ] 2025/10/07 12:50:37 kafka: error while consuming REDACTED/2: kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:37 consumer/broker/6 abandoned subscription to REDACTED/2 because kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:37 SASL authentication succeeded
[sarama  ] 2025/10/07 12:50:37 Connected to broker at REDACTED (registered as #11)
[sarama  ] 2025/10/07 12:50:37 consumer/broker/12 accumulated 1 new subscriptions
[sarama  ] 2025/10/07 12:50:37 consumer/broker/12 added subscription to REDACTED/1
[sarama  ] 2025/10/07 12:50:37 kafka: error while consuming REDACTED/1: kafka server: The client is not authorized to access this topic
[sarama  ] 2025/10/07 12:50:37 consumer/broker/12 abandoned subscription to REDACTED/1 because kafka server: The client is not authorized to access this topic
timed-out while waiting for messages (https://github.com/deviceinsight/kafkactl/issues/67)
timed-out while waiting for messages (https://github.com/deviceinsight/kafkactl/issues/67)
timed-out while waiting for messages (https://github.com/deviceinsight/kafkactl/issues/67)
[kafkactl] 2025/10/07 12:50:39 waiting for deserialization
[kafkactl] 2025/10/07 12:50:39 deserialization finished
[kafkactl] 2025/10/07 12:50:39 closing consumer

denniseffing avatar Oct 07 '25 12:10 denniseffing

@d-rk Did you have a chance to look at this? We fixed the authorization issue on our end, so we are not blocked or anything, but it would be nice to know if we did something wrong or if there is indeed a bug in kafkactl. If you don't find the time that is fine too, just wanted to know where things are at. 🙂

denniseffing avatar Dec 03 '25 08:12 denniseffing