Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-6617

Kafka Console attempts to authenticate with only one cluster regardless of selected cluster

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • 2.9.1.GA
    • 2.7.0.GA
    • console
    • None
    • Important

      Setup:

      • Streams for Apache Kafka 2.7
      • OCP
      • Kafka Console
      • Three Kafka clusters: cluster-a, cluster-b and cluster-c

      According to the article https://access.redhat.com/solutions/7114131, you can enable authentication (using SCRAM-SHA credentials via the UI) in the Kafka console by simply removing the credentials section (credentials: kafkaUser: name: kafkaconsole) from the Console custom resource (CR). Once removed, the UI will prompt you to enter credentials.

      spec:
  hostname: [obfuscated_hostname]
  kafkaClusters:
  - name: cluster-a
    namespace: ns-cluster-a
    listener: scramtls
    metricsSource: kafka
  - name: cluster-b
    namespace: ns-cluster-b
    listener: scramtls
    metricsSource: kafka
  - name: cluster-c
    namespace: ns-cluster-c
    listener: scramtls
    metricsSource: kafka

      Issue:

      No matter which cluster is selected, it will always forward the authentication workflow to the cluster-c kafka cluster (cluster-c-kafka-bootstrap.kafka.svc):

      2025-04-01 20:36:31,091 INFO  [io.qua.htt.access-log] (executor-thread-1) ANONYMOUS [obfuscated_ip1] - "GET /api/kafkas?fields%5Bkafkas%5D=name%2Cnamespace%2CkafkaVersion&sort=name HTTP/1.1" 200 264ms 1098
2025-04-01 20:36:32,053 INFO  [io.qua.htt.access-log] (vert.x-eventloop-thread-3) kafkaconsole [obfuscated_ip1] - "GET /api/kafkas/AWSXONEGRie3h2vd-ENu8A?fields%5Bkafkas%5D=name%2Cnamespace%2CcreationTimestamp%2Cstatus%2CkafkaVersion%2Cnodes%2Ccontroller%2Clisteners%2Cconditions%2CnodePools%2CcruiseControlEnabled HTTP/1.1" 200 919ms 1392
2025-04-01 20:36:48,739 ERROR [org.apa.kaf.cli.NetworkClient] (kafka-admin-client-thread | adminclient-2) [AdminClient clientId=adminclient-2] Connection to node -1 (cluster-c-kafka-bootstrap.kafka.svc/[obfuscated_ip1]:9096) failed authentication due to: Authentication failed during authentication due to invalid credentials with SASL mechanism SCRAM-SHA-512
2025-04-01 20:36:48,749 INFO  [io.qua.htt.access-log] (vert.x-eventloop-thread-2) user-dev [obfuscated_ip1] - "GET /api/kafkas/AWSXONEGRie3h2vd-ENu8A?$ HTTP/1.1" 401 337ms 231
2025-04-01 20:37:12,028 ERROR [org.apa.kaf.cli.NetworkClient] (kafka-admin-client-thread | adminclient-3) [AdminClient clientId=adminclient-3] Connection to node -1 (cluster-c-kafka-bootstrap.kafka.svc/[obfuscated_ip1]:9096) failed authentication due to: Authentication failed during authentication due to invalid credentials with SASL mechanism SCRAM-SHA-512
2

              medgar@redhat.com Michael Edgar
              emunoz@redhat.com Elkin Dario Munoz Duarte
              Jan Kalinic Jan Kalinic
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: