Topic acls not working, Kafka Shows: Principal = User:ANONYMOUS is Denied Operation = Describe from host = 240.0.210.111 on resource = Topic:LITERAL:acl-topic for request = Metadata with resourceRefCount = 1 (kafka.authorizer.logger) [data-plane-kafka-request-handler-0]

[seemasanjaisinghani]

Scenario: Enable Simple authorization, and add KafkaUser and KafkaTopic with Topic acls defined in User. Start Producer with secret generated corresponding to user in mtls enabled setup.

[NOTE: THE SAME SETUP WORKED WITH SIMPLE AUTHORIZATION WAS NOT ENABLED IN KAFKA-CLUSTER.YAML]

The producer shows error :
2021-12-08T09:07:09.820413182Zorg.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [acl-topic]

Kafka cluster shows error :
2021-12-08T08:56:15.619145876Z2021-12-08 08:56:15,618 INFO Principal = User:ANONYMOUS is Denied Operation = Describe from host = 240.0.210.111 on resource = Topic:LITERAL:acl-topic for request = Metadata with resourceRefCount = 1 (kafka.authorizer.logger) [data-plane-kafka-request-handler-0]

Kafka cluster had shows message when new user was added :
2021-12-08T08:07:53.691479895Z2021-12-08 08:07:53,691 INFO Processing Acl change notification for ResourcePattern(resourceType=TOPIC, name=acl-topic, patternType=LITERAL), versionedAcls : Set(User:CN=acl-test-user has ALLOW permission for operations: DESCRIBE from hosts: *, User:CN=acl-test-user has ALLOW permission for operations: CREATE from hosts: *, User:CN=acl-test-user has ALLOW permission for operations: READ from hosts: *, User:CN=acl-test-user has ALLOW permission for operations: WRITE from hosts: *), zkVersion : 0 (kafka.security.authorizer.AclAuthorizer) [/kafka-acl-changes-event-process-thread]

I have followed all steps mentioned here #2141
#3036
referenced this KafkaUser manifest also for creating our user : https://github.com/strimzi/strimzi-kafka-operator/blob/master/examples/user/kafka-user.yaml

Kafkauser.yaml: [This user is tls user]

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: acl-test-user
labels:
strimzi.io/cluster: test-cluster
spec:
authentication:
type: tls
authorization:
type: simple
acls:
# Consumer Acls for topic acl-topic
- resource:
type: topic
name: 'acl-topic'
patternType: literal
operation: Read
host: ""
- resource:
type: topic
name: 'acl-topic'
patternType: literal
operation: Describe
host: ""
# Producer Acls for topic acl-topic
- resource:
type: topic
name: 'acl-topic'
patternType: literal
operation: Write
host: ""
- resource:
type: topic
name: 'acl-topic'
patternType: literal
operation: Create
host: ""
- resource:
type: topic
name: 'acl-topic'
patternType: literal
operation: Describe
host: "*"

KafkaTopic.yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
name: acl-topic
labels:
strimzi.io/cluster: test-cluster
spec:
partitions: 2
replicas: 2
config:
retention.ms: 7200000
segment.bytes: 1073741824

Any help?

[scholzj]

If you look properly at the message, it says that User:ANONYMOUS is denied. That suggests that you probably enabled authorization, but not authentication and without authentication, you always connect as User:ANONYMOUS, so it doesn't matter what rights did you give to some other user.

[seemasanjaisinghani]

Yes figured out the problem just 20 minutes back, enabled authentication on Kafka cluster side and thee issue is resolved. Thank you for your reply.