Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9B870200CDD for ; Mon, 7 Aug 2017 22:21:10 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 9A340165FC2; Mon, 7 Aug 2017 20:21:10 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DFA06165FBE for ; Mon, 7 Aug 2017 22:21:09 +0200 (CEST) Received: (qmail 45682 invoked by uid 500); 7 Aug 2017 20:21:08 -0000 Mailing-List: contact dev-help@kafka.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@kafka.apache.org Delivered-To: mailing list dev@kafka.apache.org Received: (qmail 45671 invoked by uid 99); 7 Aug 2017 20:21:08 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Aug 2017 20:21:08 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 348221A0342 for ; Mon, 7 Aug 2017 20:21:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id bY6bqYzHOFYW for ; Mon, 7 Aug 2017 20:21:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 068566111B for ; Mon, 7 Aug 2017 20:21:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 9612BE0536 for ; Mon, 7 Aug 2017 20:21:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4BD2724161 for ; Mon, 7 Aug 2017 20:21:00 +0000 (UTC) Date: Mon, 7 Aug 2017 20:21:00 +0000 (UTC) From: "Alla Tumarkin (JIRA)" To: dev@kafka.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (KAFKA-5709) Improve logging to include errors from state-change log in server log MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 07 Aug 2017 20:21:10 -0000 Alla Tumarkin created KAFKA-5709: ------------------------------------ Summary: Improve logging to include errors from state-change log in server log Key: KAFKA-5709 URL: https://issues.apache.org/jira/browse/KAFKA-5709 Project: Kafka Issue Type: Improvement Components: log Affects Versions: 0.10.2.0 Reporter: Alla Tumarkin Problem The following message was generated over and over again when running kafka-console-producer or kafka-console-consumer with SSL and ACLs enabled {code} WARN Error while fetching metadata with correlation id 1 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)` endlessly when I run kafka-console-producer or kafka-console-consumer {code} however server log (or authorizer log) did not indicate any problem. Background 1) Initially, security.inter.broker.protocol setting was missing in server.properties, so connection was falling back to using plaintext port (9092), and only state-change.log actually contained the underlying error: {code} [2017-08-04 13:40:48,536] TRACE Controller 0 epoch 6 received response {error_code=31,partitions=[{topic=test,partition=0,error_code=31},{topic=__confluent.support.metrics,partition=0,error_code=31}]} for a request sent to broker localhost:9092 (id: 0 rack: null) (state.change.logger) {code} as per https://kafka.apache.org/protocol#protocol_error_codes {code} CLUSTER_AUTHORIZATION_FAILED 31 False Cluster authorization failed. {code} 2) After setting "security.inter.broker.protocol=SSL" the port changed to secure (9093) yet the error in state-change log did not go away: {code} [2017-08-04 13:49:38,462] TRACE Controller 0 epoch 7 received response {error_code=31} for a request sent to broker localhost:9093 (id: 0 rack: null) (state.change.logger) {code} and LEADER_NOT_AVAILABLE was still generated. This time though, kafka-authorizer.log had a better indication of the problem: {code} [2017-08-04 18:17:46,770] DEBUG No acl found for resource Cluster:kafka-cluster, authorized = false (kafka.authorizer.logger) [2017-08-04 18:17:46,770] DEBUG Principal = User:CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown is Denied Operation = ClusterAction from host = 127.0.0.1 on resource = Cluster:kafka-cluster (kafka.authorizer.logger) {code} The issue being that topic metadata is not propagated successfully from controller to broker since the broker user doesn't have ClusterAction permission. Fixed by {code} bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal "User:CN=Unknown,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown" --operation ClusterAction --cluster {code} Request The debugging is tricky since the controller to broker logging is done in controller/state-change log, not in the main server log. We need to improve the logging on this. -- This message was sent by Atlassian JIRA (v6.4.14#64029)