akhq icon indicating copy to clipboard operation
akhq copied to clipboard

Published 20 hours ago verified publisher icon tchiotludo

Listing Consumer Groups doesn't work with DESCRIBE right on cluster level

Open LukasPr opened this issue 3 years ago • 5 comments

On both versions of AKHQ 0.17 and 0.19 we were not able to list the consumer groups in the overview with the following rights:

ALLOW | DESCRIBE_CONFIGS | CLUSTER | kafka-cluster | LITERAL ALLOW | DESCRIBE | CLUSTER | kafka-cluster | LITERAL ALLOW | IDEMPOTENT_WRITE | CLUSTER | kafka-cluster | LITERAL

ALLOW | READ | GROUP | xxxx | PREFIXED ALLOW | DESCRIBE | GROUP | xxxx | PREFIXED

AKHQ logs this error:

java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: Group authorization failed.

After removing the following ACL from the Service Account it worked: ALLOW | DESCRIBE | CLUSTER | kafka-cluster | LITERAL

The issue could probably be that there is no check if the service account has DESCRIBE rights on all consumer groups.

Please check - thanks!

LukasPr avatar Nov 15 '21 13:11 LukasPr

Not really sure to understand. You don't grant a full read access on service account for consumer group, only some of them with a prefix. When you remove the describe cluster ACL, the consumer group page can be displayed without any error but was empty. I'm right ?

tchiotludo avatar Nov 17 '21 06:11 tchiotludo

You don't grant a full read access on service account for consumer group, only some of them with a prefix. Yes, we restrict accounts to be able to identify the source of a consumer group When we remove the describe cluster ACL we are able to display the topics page again. On listing the topics it seems that it tries to describe all consumer groups for the topics and that fails, so nothing is displayed at all. The consumer group pages shows only the groups that the service account has access to.

Xan2063 avatar Nov 17 '21 10:11 Xan2063

I am having similar issues on my end. I set DESCRIBE and DESCRIBE_CONFIGS for all topics, all consumer groups (with a prefix though in the ACLs, such as company.something, for the consumer groups). I explicitely DENY read on topics in the ACLs (because this is not the intended use in my use-case). These ACLs allowed kafdrop to list all topics, all consumer groups (and see lag etc) etc. but for some reason, the groups, it just fails continuously.

It'd be worth documenting (I just cannot find them in the docs?) what minimum ACLs are required for DESCRIBE on the clusters / topics / groups.

JohnPreston avatar Dec 15 '21 20:12 JohnPreston

I'm facing the same issue. I'm getting this error: FindCoordinator request for groupId CoordinatorKey(idValue='anotherConsumerGroup', type=GROUP) failed due to authorization failure

anotherConsumerGroup is typically a ConsumerGroup for which the AKHQ KafkaUser doesn't have Read&Describe authorization

I wonder if this has to do with this line of code: https://github.com/tchiotludo/akhq/blob/b472e8efc5939cb63051a653f8b5988326533bc6/src/main/java/org/akhq/modules/AbstractKafkaWrapper.java#L169

Maybe if we were using .valid() instead of .all() this will only retrieve consumer groups for which the AKHQ KafkaUser is authorized. See https://kafka.apache.org/31/javadoc/org/apache/kafka/clients/admin/ListConsumerGroupsResult.html

How can we see the log stack of the error in AKHQ ? I can only see the message in AKHQ UI.

thibthibus avatar Jan 26 '22 15:01 thibthibus

@thibthibus I wasn't aware of this valid() method. I also think it will remove your errors as I understand but I'm little bit doubtful it was really a good choice, people will raise issue about missing consumer group I think. Maybe an explicit akhq configuration that will allow to use partial result will do the trick ? PR are welcome

tchiotludo avatar Jan 26 '22 20:01 tchiotludo