-
Story
-
Resolution: Done
-
Normal
-
2.2.0.GA
-
None
In the following broker log, there is an example of a network glitch between the broker and the authorization server (400 error code).
2022-11-16 09:22:35,783 WARN Unexpected status while fetching authorization data - will retry next time: POST request to https://example.com/auth/realms/kafka-test/protocol/openid-connect/token failed with status 400: <html>
The client is authenticating creating a new session (1594811133), that ends up with `permissions: null` grants as a result of the network glitch, denying the request.
2022-11-16 09:22:35,784 DEBUG Authorization grants for user OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg): null (io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer) [data-plane-kafka-request-handler-7] permissions: null (io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer.deny) [data-plane-kafka-request-handler-7] 2022-11-16 09:22:35,784 DEBUG Authorization DENIED - user: OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg), cluster: kafka, operation: READ, resource: GROUP:my-group,
Few milliseconds later, a new client request comes in and this time the broker is able to get the client's grants and authorize the request.
2022-11-16 09:22:35,913 DEBUG Authorization grants for user OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg): [{"scopes":["Read","Describe","DescribeConfigs","AlterConfigs"],"rsid":"8f8b560b-c6ae-46c8-b1d3-8ce26658c925","rsname":"Group:my-group"},{"scopes":["Read","Write","Describe","Alter","Create","DescribeConfigs","AlterConfigs"],"rsid":"7893e2ce-f7b8-4173-8dc6-bcd5634f722d","rsname":"Topic:my-topic"}] (io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer) [data-plane-kafka-request-handler-7] 2022-11-16 09:22:35,913 DEBUG Authorization GRANTED - cluster: kafka, user: OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg), operation: READ, resource: GROUP:my-group
Maybe we could evaluate the possibility of adding a retry feature that you need to explicitly enable.