Micronaut Kafka: Health check fails with "Cluster authorization failed"

Question

I am trying to consume messages from a Kafka cluster external to my organization, which requires authentication.

I am receiving messages, so presumably things are partly correct, but I'm getting this error message in the logs:

08:54:50.840 [kafka-admin-client-thread | adminclient-1] ERROR i.m.m.health.indicator.HealthResult - Health indicator [kafka] reported exception: org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.

And a resulting status of DOWN in the health checks.

Here is the kafka section from application.yaml:

kafka:
  bootstrap:
    servers:
      "bootstrap.example.com:9095"
    security:
      protocol: "SASL_SSL"
  schema.registry.url: "http://schema-registry.example.com:8001"
  consumers:
    example-group:
      key:
        deserializer: io.confluent.kafka.serializers.KafkaAvroDeserializer
      value:
        deserializer: io.confluent.kafka.serializers.KafkaAvroDeserializer
  security.protocol: "SASL_SSL"
  sasl:
    mechanism: "SCRAM-SHA-512"
    jaas:
      config: org.apache.kafka.common.security.scram.ScramLoginModule required username="${KAFKA_USERNAME:username}" password="${KAFKA_PASSWORD:password}";

Answer 1

I figured it out, the word "Authorization" should have been a big hint.

There was nothing wrong with the authentication mechanism. Rather, our user simply didn't have permission to make the required calls.

The required permissions are:

• DescribeCluster
• DescribeConfig on resource BROKER.

Answer 2

To extend @Imre Kerr's answer.

If using Strimzi to set up ACLs you can simply add the following resource ACL to your user:

users:
  - name: {your-user-name}
    acls:
      ...
      - resource:
          type: cluster
        operation: DescribeConfigs

Answer 3

By default DescribeCluster also provide the information about ACLs of topic, which could be a security issue :-) Maybe you would need a customized healthcheck-indicator?