Denied operation for request = Metadata with resourceRefCount = 1

[ghost]

Hello.
Here is the log which i see, but everything is working. Question is why i have such long, and why and who try to make CREATE and DESCRIBE operations

2024-08-23 08:43:13,035 INFO Principal = User:manager-20240819-1804-0000-0000-000000000000 is Denied operation = CREATE from host = 10.42.2.55 on resource = Topic:LITERAL:bridge-e8595d1d-a618-420a-aaee-b55287dc1368 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-7]
2024-08-23 08:43:13,035 INFO Principal = User:manager-20240819-1804-0000-0000-000000000000 is Denied operation = CREATE from host = 10.42.2.55 on resource = Topic:LITERAL:bridge-78f739ba-a19c-480b-84f8-589d8cc4c02a for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-7]
2024-08-23 08:47:41,796 INFO Principal = User:manager-14427fa5-f35b-49a2-a1fe-ff74a48f6f1b is Denied operation = CREATE from host = 10.42.2.98 on resource = Topic:LITERAL:bridge-dee9b987-bfa3-49b8-ab43-ae4e4e5be26d for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-6]
2024-08-23 08:47:41,797 INFO Principal = User:manager-14427fa5-f35b-49a2-a1fe-ff74a48f6f1b is Denied operation = CREATE from host = 10.42.2.98 on resource = Topic:LITERAL:bridge-95b71755-c0e5-4c36-bdfd-e12d4dbfa76f for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-6]
2024-08-23 08:47:41,797 INFO Principal = User:manager-14427fa5-f35b-49a2-a1fe-ff74a48f6f1b is Denied operation = CREATE from host = 10.42.2.98 on resource = Topic:LITERAL:bridge-a2600d6c-d27c-424e-9b56-25cbab9ea2f6 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-6]
2024-08-23 08:48:52,485 INFO Principal = User:manager-external-b880bff2-4516-41e3-86d8-0ea537e80ea6 is Denied operation = DESCRIBE from host = 10.42.2.149 on resource = Group:LITERAL:manager-b880bff2-4516-41e3-86d8-0ea537e80ea6 for request = FindCoordinator with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-1]
2024-08-23 08:50:09,809 INFO [NodeToControllerChannelManager id=3 name=forwarding] Node 0 disconnected. (org.apache.kafka.clients.NetworkClient) [broker-3-to-controller-forwarding-channel-manager]
2024-08-23 08:52:19,704 INFO Principal = User:manager-external-c7ac0c13-ac06-4288-a767-3720fa73e9cd is Denied operation = DESCRIBE from host = 10.42.2.236 on resource = Group:LITERAL:manager-c7ac0c13-ac06-4288-a767-3720fa73e9cd for request = FindCoordinator with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-5]
2024-08-23 08:52:41,804 INFO Principal = User:manager-14427fa5-f35b-49a2-a1fe-ff74a48f6f1b is Denied operation = CREATE from host = 10.42.2.98 on resource = Topic:LITERAL:bridge-dee9b987-bfa3-49b8-ab43-ae4e4e5be26d for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-1]
2024-08-23 08:52:41,804 INFO Principal = User:manager-14427fa5-f35b-49a2-a1fe-ff74a48f6f1b is Denied operation = CREATE from host = 10.42.2.98 on resource = Topic:LITERAL:bridge-95b71755-c0e5-4c36-bdfd-e12d4dbfa76f for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-1]
2024-08-23 08:52:41,804 INFO Principal = User:manager-14427fa5-f35b-49a2-a1fe-ff74a48f6f1b is Denied operation = CREATE from host = 10.42.2.98 on resource = Topic:LITERAL:bridge-a2600d6c-d27c-424e-9b56-25cbab9ea2f6 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-1]
2024-08-23 08:55:17,414 INFO Principal = User:manager-11111111-0000-0000-0001-000015082024 is Denied operation = DESCRIBE from host = 10.42.2.172 on resource = Topic:LITERAL:manager-external-11111111-0000-0000-0001-000015082024 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-2]
2024-08-23 09:01:02,960 INFO Principal = User:manager-a3381f58-e528-47ec-8a49-9a25ed576dec is Denied operation = CREATE from host = 10.42.2.197 on resource = Topic:LITERAL:bridge-f6061113-9d7c-4c53-a333-1f117099a3c6 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-3]
2024-08-23 09:02:35,391 INFO Principal = User:manager-external-c7ac0c13-ac06-4288-a767-3720fa73e9cd is Denied operation = DESCRIBE from host = 10.42.2.236 on resource = Group:LITERAL:manager-c7ac0c13-ac06-4288-a767-3720fa73e9cd for request = FindCoordinator with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-6]
2024-08-23 09:03:13,076 INFO Principal = User:manager-20240819-1804-0000-0000-000000000000 is Denied operation = CREATE from host = 10.42.2.55 on resource = Topic:LITERAL:bridge-e8595d1d-a618-420a-aaee-b55287dc1368 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-7]
2024-08-23 09:03:13,076 INFO Principal = User:manager-20240819-1804-0000-0000-000000000000 is Denied operation = CREATE from host = 10.42.2.55 on resource = Topic:LITERAL:bridge-78f739ba-a19c-480b-84f8-589d8cc4c02a for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-7]
2024-08-23 09:03:20,128 INFO [NodeToControllerChannelManager id=3 name=forwarding] Node 0 disconnected. (org.apache.kafka.clients.NetworkClient) [broker-3-to-controller-forwarding-channel-manager]
2024-08-23 09:04:12,325 INFO Principal = User:manager-2a0f8403-c303-4a0f-879b-723ae373ed13 is Denied operation = DESCRIBE from host = 10.42.2.179 on resource = Topic:LITERAL:bridge-c815abc9-c465-44d5-9ee3-560c1c6beb79 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-4]
2024-08-23 09:04:12,325 INFO Principal = User:manager-2a0f8403-c303-4a0f-879b-723ae373ed13 is Denied operation = DESCRIBE from host = 10.42.2.179 on resource = Topic:LITERAL:bridge-599805f5-3b27-44ec-b801-bae3f19b6746 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-4]
2024-08-23 09:04:54,956 INFO Principal = User:manager-20240626-1623-0000-0000-000000000000 is Denied operation = DESCRIBE from host = 10.42.0.219 on resource = Topic:LITERAL:bridge-baa3133c-1449-4a16-b28c-b38b06df4416 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-4]
2024-08-23 09:04:54,956 INFO Principal = User:manager-20240626-1623-0000-0000-000000000000 is Denied operation = DESCRIBE from host = 10.42.0.219 on resource = Topic:LITERAL:bridge-394ea180-9b1c-4b3b-8f16-007ec97e392f for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-4]
2024-08-23 09:04:54,956 INFO Principal = User:manager-20240626-1623-0000-0000-000000000000 is Denied operation = DESCRIBE from host = 10.42.0.219 on resource = Topic:LITERAL:bridge-d24c0f04-a333-41aa-848d-c6ad07dc48bf for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-4]

kafka.yml

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaNodePool
metadata:
  name: controller
  labels:
    strimzi.io/cluster: {{ .Values.kafka.name }}
spec:
  replicas: 3
  roles:
    - controller
  storage:
    type: jbod
    volumes:
      - id: 0
        type: persistent-claim
        size: 20Gi
        deleteClaim: false
  template:
    pod:
      metadata:
        labels:
          app: kafka-controller
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                  matchExpressions:
                    - key: app
                      operator: In
                      values:
                        - kafka-controller
                topologyKey: "kubernetes.io/hostname"
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaNodePool
metadata:
  name: broker
  labels:
    strimzi.io/cluster: {{ .Values.kafka.name }}
spec:
  replicas: 3
  roles:
    - broker
  storage:
    type: jbod
    volumes:
      - id: 0
        type: persistent-claim
        size: 100Gi
        deleteClaim: false
  template:
    pod:
      metadata:
        labels:
          app: kafka-broker
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                  matchExpressions:
                    - key: app
                      operator: In
                      values:
                        - kafka-broker
                topologyKey: "kubernetes.io/hostname"
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: {{ .Values.kafka.name }}
  annotations:
    strimzi.io/node-pools: enabled
    strimzi.io/kraft: enabled
spec:
  kafka:
    version: 3.7.0
    metadataVersion: 3.7-IV4
    listeners:
      - name: internal
        port: 9092
        type: cluster-ip
        tls: false
        authentication:
          type: scram-sha-512
      - name: public
        port: 9094
        type: nodeport
        tls: false
        authentication:
          type: scram-sha-512
        configuration:
            bootstrap:
              nodePort: 32200
            brokers:
            - broker: 3
              advertisedHost: {{ .Values.kafka.advertisedHost.public }}
              nodePort: 32000
            - broker: 4
              advertisedHost: {{ .Values.kafka.advertisedHost.public }}
              nodePort: 32001
            - broker: 5
              advertisedHost: {{ .Values.kafka.advertisedHost.public }}
              nodePort: 32002
      - name: private
        port: 9093
        type: nodeport
        tls: false
        authentication:
          type: scram-sha-512
        configuration:
            bootstrap:
              nodePort: 32100
            brokers:
            - broker: 3
              advertisedHost: {{ .Values.kafka.advertisedHost.private }}
            - broker: 4
              advertisedHost: {{ .Values.kafka.advertisedHost.private }}
            - broker: 5
              advertisedHost: {{ .Values.kafka.advertisedHost.private }}
    #   - name: tls
    #     port: 9093
    #     type: internal
    #     tls: true
    #     authentication:
    #       type: scram-sha-512
    config:
      message.max.bytes: 20000000
      replica.fetch.max.bytes: 20000000
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      default.replication.factor: 3
      min.insync.replicas: 2
      consumer.session.timeout.ms: 45000
      consumer.heartbeat.interval.ms: 3000
    authorization:
      type: simple
    logging:
      type: inline
      loggers:
        kafka.root.logger.level: {{ .Values.kafka.logger.level }}
  entityOperator:
    topicOperator: {}
    userOperator: {}

local_bridge.yml user

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: bridge-local
  labels:
    strimzi.io/cluster: {{ .Values.kafka.name }}
spec:
  authentication:
    type: scram-sha-512
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: bridge-
          patternType: prefix
        operations:
          - Describe
          - Read
        host: "*"
      - resource:
          type: group
          name: bridge-
          patternType: prefix
        operations:
          - Describe
          - Read
        host: "*"
      - resource:
          type: topic
          name: manager-
          patternType: prefix
        operations:
          - Describe
          - Write
        host: "*"
      - resource:
          type: group
          name: manager-
          patternType: prefix
        operations:
          - Describe
          - Write
        host: "*"
      - resource:
          type: topic
          name: heartbeat
          patternType: literal
        operations:
          - Describe
          - Write
        host: "*"
      - resource:
          type: group
          name: heartbeat
          patternType: literal
        operations:
          - Describe
          - Write
        host: "*"

local_manager.yml

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: manager-local
  labels:
    strimzi.io/cluster: {{ .Values.kafka.name }}
spec:
  authentication:
    type: scram-sha-512
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: bridge-
          patternType: prefix
        operations:
          - Describe
          - Write
        host: "*"
      - resource:
          type: group
          name: bridge-
          patternType: prefix
        operations:
          - Describe
          - Write
        host: "*"
      - resource:
          type: topic
          name: manager-
          patternType: prefix
        operations:
          - Describe
          - Read
        host: "*"
      - resource:
          type: group
          name: manager-
          patternType: prefix
        operations:
          - Describe
          - Read
        host: "*"

[ghost]

[ghost]

It is still not formatted. So one cannot read it and see if it has the correct structure. You have to format it as code.

Yml files i formated as code, Logs i save as Quote, i think it's logical.

[scholzj]

Well, it was not formatted that way before.

[scholzj]

So, now after you made it readable, what exactly is the question or problem about those files?

[ghost]

My question is. Why i receive in logs, denied operations for CREATE or DESCRIBE ?
I see it's only in logs, on my application everything is working OK, no problems and why i get DESCRIBE operation, is it default action when you read or write to topic?

INFO Principal = User:manager-11111111-0000-0000-0001-000015082024 is Denied operation = DESCRIBE from host = 10.42.2.172 on resource = Topic:LITERAL:manager-external-11111111-0000-0000-0001-000015082024 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-2]
2024-08-23 09:01:02,960 INFO Principal = User:manager-a3381f58-e528-47ec-8a49-9a25ed576dec is Denied operation = CREATE from host = 10.42.2.197 on resource = Topic:LITERAL:bridge-f6061113-9d7c-4c53-a333-1f117099a3c6 for request = Metadata with resourceRefCount = 1 based on rule DefaultDeny (kafka.authorizer.logger) [data-plane-kafka-request-handler-3]

[scholzj]

So, the users you shared are named bridge-local and manager-local. But the user in the log is manager-11111111-0000-0000-0001-000015082024. I do not know how your client triggering these operations is configured, but it seems to authenticate as manager-11111111-0000-0000-0001-000015082024 which does not seem to be allowed to do these operations. And the two KafkaUser resources you shared will not give this user such ACL rights because they have their own usernames.