Burrow icon indicating copy to clipboard operation
Burrow copied to clipboard

Published 20 hours ago verified publisher icon linkedin

what type of ACL privileges are needed for Burrow?

Open cl0udgeek opened this issue 7 years ago • 9 comments

What type of ACL's privileges are needed for Burrow on the topics or does it need super user? I couldn't seem to have found that in the docs...

cl0udgeek avatar Dec 13 '17 16:12 cl0udgeek

I still don't think I've fully figured this out...I gave these ACL's on __consumer_offsets:

kafka-acls --authorizer-properties zookeeper.connect=zk:2181/sdpop --add --allow-principal User:* --allow-host "*" --operation All --topic __consumer_offsets --group=*

but still see this in the logs:

{"level":"error","ts":1513713023.0623486,"msg":"failed to get partition count","type":"module","coordinator":"consumer","class":"kafka","name":"local","topic":"__consumer_offsets","error":"kafka server: Request was for a topic or partition that does not exist on this broker."}
{"level":"error","ts":1513713023.0624535,"msg":"failed to start consumer","type":"module","coordinator":"consumer","class":"kafka","name":"local","error":"kafka server: Request was for a topic or partition that does not exist on this broker."}```

cl0udgeek avatar Dec 19 '17 19:12 cl0udgeek

I'll admit, I haven't quite gotten to the point internally where we've had to apply ACLs to this yet. It should be sufficient to have ACLs for the principal the burrow is running under to have describe and read privileges on the topic resource __consumer_offsets.

toddpalino avatar Dec 21 '17 20:12 toddpalino

still haven't figured this one out yet...anyone else having this issue?

it finds info on the other topics...just not __consumer_offsets

{"level":"debug","ts":1522270120.6207905,"msg":"ok","type":"module","coordinator":"storage","class":"inmemory","name":"default","worker":3,"cluster":"sdpop","consumer":"","topic":"testtopic","partition":2,"topic_partition_count":10,"offset":1,"timestamp":1522270120000,"owner":"","request":"StorageSetBrokerOffset"}
{"level":"info","ts":1522270120.6208968,"msg":"starting","type":"coordinator","name":"consumer"}
{"level":"info","ts":1522270120.620908,"msg":"starting","type":"module","coordinator":"consumer","class":"kafka","name":"local"}
{"level":"debug","ts":1522270120.6209056,"msg":"ok","type":"module","coordinator":"storage","class":"inmemory","name":"default","worker":12,"cluster":"sdpop","consumer":"","topic":"testtopic","partition":5,"topic_partition_count":10,"offset":1,"timestamp":1522270120000,"owner":"","request":"StorageSetBrokerOffset"}
{"level":"info","ts":1522270120.6544793,"msg":"starting evaluations","type":"coordinator","name":"notifier"}
{"level":"error","ts":1522270121.39267,"msg":"failed to get partition count","type":"module","coordinator":"consumer","class":"kafka","name":"local","topic":"__consumer_offsets","error":"kafka server: Request was for a topic or partition that does not exist on this broker."}
{"level":"error","ts":1522270121.392729,"msg":"failed to start consumer","type":"module","coordinator":"consumer","class":"kafka","name":"local","error":"kafka server: Request was for a topic or partition that does not exist on this broker."}

cl0udgeek avatar Mar 28 '18 20:03 cl0udgeek

so this is definitely an ACL error...if I grant this ACL

kafka-acls --authorizer-properties zookeeper.connect=zk01.cloud.com:2181/cluster1 --add --allow-principal User:* --allow-host "*" --operation ALL --topic __consumer_offsets --group=* Adding ACLs for resource Topic:__consumer_offsets`

it then starts to work

problem...thats a bad ACL to be granting on the __consumer_offsets topic

@toddpalino any idea on this?

cl0udgeek avatar Mar 28 '18 21:03 cl0udgeek

Any news on this issue ? I have the same problem

mchenier avatar Sep 27 '18 20:09 mchenier

did you resolve that issue, I have the same error

Learnfr avatar Feb 08 '19 16:02 Learnfr

We finally added a user burrow as an admin to the cluster. Everything else failed. We added security to the server running burrow to be safer.

mchenier avatar Feb 08 '19 18:02 mchenier

For me burrow works with that acl:

  • ./kafka-acls.sh --authorizer-properties zookeeper.connect=zookeeper_hostname:2181 --add --allow-principal "User:burrow" --topic "*" --operation Describe
  • ./kafka-acls.sh --authorizer-properties zookeeper.connect=zookeeper_hostname:2181 --add --allow-principal "User:burrow" --topic "*" --operation Read After that you have to restart burrow service

Learnfr avatar Feb 26 '19 13:02 Learnfr

I have been running burrow successfully In Prod for more than a year now without providing admin permission or read or write access for data topics. Posting required ACL for burrow kafka user :

  • "__consumer_offsets" : Required ACLs: Read, Describe & Describe_Configs.
  • "*" : Describe & Describe_Configs

Vikash08Mishra avatar Aug 02 '23 11:08 Vikash08Mishra