User operator and OPA

[jesussancheztellomm]

Hello,

Since we introduced OPA as authorizer, the renewal process of the certificates for the kafkausers is not working.

I understand that while using OPA it does not make sense to have kafkausers created but we are in a migration phase and need that this functionality keeps working for our mtls "legacy" users.

The user operator is throwing the same error all the time.

2022-03-18 12:26:31 ERROR AbstractOperator:247 - Reconciliation #6234339(timer) KafkaUser(kafka-cdr-sta/qvantel): createOrUpdate failed io.strimzi.operator.cluster.model.InvalidResourceException: Simple authorization ACL rules are configured but not supported in the Kafka cluster configuration. at io.strimzi.operator.user.model.KafkaUserModel.fromCrd(KafkaUserModel.java:117) ~[io.strimzi.user-operator-0.27.0.jar:0.27.0] at io.strimzi.operator.user.operator.KafkaUserOperator.createOrUpdate(KafkaUserOperator.java:119) ~[io.strimzi.user-operator-0.27.0.jar:0.27.0] at io.strimzi.operator.user.operator.KafkaUserOperator.createOrUpdate(KafkaUserOperator.java:42) ~[io.strimzi.user-operator-0.27.0.jar:0.27.0] at io.strimzi.operator.common.AbstractOperator.lambda$reconcile$9(AbstractOperator.java:228) ~[io.strimzi.operator-common-0.27.0.jar:0.27.0] at io.strimzi.operator.common.AbstractOperator.callSafely(AbstractOperator.java:405) ~[io.strimzi.operator-common-0.27.0.jar:0.27.0] at io.strimzi.operator.common.AbstractOperator.lambda$withLock$17(AbstractOperator.java:376) ~[io.strimzi.operator-common-0.27.0.jar:0.27.0] at io.vertx.core.impl.future.FutureImpl$3.onSuccess(FutureImpl.java:141) ~[io.vertx.vertx-core-4.2.1.jar:4.2.1] at io.vertx.core.impl.future.FutureBase.emitSuccess(FutureBase.java:60) ~[io.vertx.vertx-core-4.2.1.jar:4.2.1] at io.vertx.core.impl.future.FutureImpl.addListener(FutureImpl.java:196) ~[io.vertx.vertx-core-4.2.1.jar:4.2.1] at io.vertx.core.impl.future.PromiseImpl.addListener(PromiseImpl.java:23) ~[io.vertx.vertx-core-4.2.1.jar:4.2.1] at io.vertx.core.impl.future.FutureImpl.onComplete(FutureImpl.java:164) ~[io.vertx.vertx-core-4.2.1.jar:4.2.1] at io.vertx.core.impl.future.PromiseImpl.onComplete(PromiseImpl.java:23) ~[io.vertx.vertx-core-4.2.1.jar:4.2.1] at io.vertx.core.shareddata.impl.SharedDataImpl.getLockWithTimeout(SharedDataImpl.java:100) ~[io.vertx.vertx-core-4.2.1.jar:4.2.1] at io.strimzi.operator.common.AbstractOperator.withLock(AbstractOperator.java:367) ~[io.strimzi.operator-common-0.27.0.jar:0.27.0] at io.strimzi.operator.common.AbstractOperator.reconcile(AbstractOperator.java:170) ~[io.strimzi.operator-common-0.27.0.jar:0.27.0] at io.strimzi.operator.common.Operator.reconcileThese(Operator.java:84) ~[io.strimzi.operator-common-0.27.0.jar:0.27.0] at io.strimzi.operator.common.Operator.lambda$reconcileAll$0(Operator.java:61) ~[io.strimzi.operator-common-0.27.0.jar:0.27.0]

Is there any workaround that we can apply for the user operator?

Our current Strimzi version is 0.27.1

Thanks in advance,
Best regards

[scholzj]

I understand that while using OPA it does not make sense to have kafkausers created but we are in a migration phase and need that this functionality keeps working for our mtls "legacy" users.

That is not possible. Kafka allows you to have only one authorizer. You either use the OPA authorizer and then you should remove the ACLs rules from your users. Or you use Simple authorizer and than you can manage the ACLs from the KafkaUser resources. There is no in-between variant.

[jesussancheztellomm]

Understood. Thank you very much!

[scholzj]

Just as an additional clarification ... this check in the User operator is done for two reasons:

• Users often wrongly assumed that by setting the ACLs in the KafkaUser the ACLs are all set which is not the case. This should make it clear that this is not enough when the authorization is not properly configured in the Kafka broker
• More important from the technical perspective, the Admin API would be throwing exceptions all over the place when the right auhtorization is not configured in the Kafka brokers. So checking this first helps use to avoid a long stream of errors in the logs.