I am trying to consume messages from a Kafka cluster external to my organization, which requires authentication.
I am receiving messages, so presumably things are partly correct, but I'm getting this error message in the logs:
08:54:50.840 [kafka-admin-client-thread | adminclient-1] ERROR i.m.m.health.indicator.HealthResult - Health indicator [kafka] reported exception: org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.
And a resulting status of DOWN in the health checks.
Here is the kafka section from application.yaml:
kafka:
bootstrap:
servers:
"bootstrap.example.com:9095"
security:
protocol: "SASL_SSL"
schema.registry.url: "http://schema-registry.example.com:8001"
consumers:
example-group:
key:
deserializer: io.confluent.kafka.serializers.KafkaAvroDeserializer
value:
deserializer: io.confluent.kafka.serializers.KafkaAvroDeserializer
security.protocol: "SASL_SSL"
sasl:
mechanism: "SCRAM-SHA-512"
jaas:
config: org.apache.kafka.common.security.scram.ScramLoginModule required username="${KAFKA_USERNAME:username}" password="${KAFKA_PASSWORD:password}";
I figured it out, the word "Authorization" should have been a big hint.
There was nothing wrong with the authentication mechanism. Rather, our user simply didn't have permission to make the required calls.
The required permissions are: