一、問題背景

ttr-2.2.1 以上版本已修復
ttr-2.2.1 及以上版本中,Atlas 在開啓 Kerberos 後已自動適配 Kafka ACL 權限。
若使用早期版本(如 ttr-2.2.0),啓動時可能因 Kafka 認證失敗 導致 Atlas 無法正常消費 Topic。
如在部署或二開中遇到類似問題,可聯繫作者 獲取補丁。

note Atlas 啓動常見的三類權限報錯

  1. HBase 無權限 → 已在前文説明;
  2. Solr 401 Unauthorized → 已解決;
  3. Kafka ACL 拒絕訪問(本篇重點)。

二、問題現象

Atlas 啓動後持續報錯,日誌循環出現如下警告:

2025-11-08 17:06:11,163 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas
2025-11-08 17:06:26,123 [index-health-monitor] INFO [AtlasJanusGraphIndexClient.java:98] indexBackEnd=solr; isHealthy=true
2025-11-08 17:06:41,170 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas
2025-11-08 17:06:56,127 [index-health-monitor] INFO [AtlasJanusGraphIndexClient.java:98] indexBackEnd=solr; isHealthy=true
2025-11-08 17:07:11,173 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas
2025-11-08 17:07:26,134 [index-health-monitor] INFO [AtlasJanusGraphIndexClient.java:98] indexBackEnd=solr; isHealthy=true
2025-11-08 17:07:41,176 [NotificationHookConsumer thread-0] WARN [NetworkClient.java:1100] [Consumer clientId=consumer-atlas-1, groupId=atlas] Error while fetching metadata with correlation id 72 : {ATLAS_HOOK=TOPIC_AUTHORIZATION_FAILED}
2025-11-08 17:07:41,177 [NotificationHookConsumer thread-0] ERROR [Metadata.java:301] [Consumer clientId=consumer-atlas-1, groupId=atlas] Topic authorization failed for topics [ATLAS_HOOK]
2025-11-08 17:07:41,177 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [ATLAS_HOOK]
2025-11-08 17:07:56,137 [index-health-monitor] INFO [AtlasJanusGraphIndexClient.java:98] indexBackEnd=solr; isHealthy=true
2025-11-08 17:08:11,178 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas
2025-11-08 17:08:26,142 [index-health-monitor] INFO [AtlasJanusGraphIndexClient.java:98] indexBackEnd=solr; isHealthy=true
2025-11-08 17:08:41,181 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas
2025-11-08 17:08:56,146 [index-health-monitor] INFO [AtlasJanusGraphIndexClient.java:98] indexBackEnd=solr; isHealthy=true
2025-11-08 17:09:11,184 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas
2025-11-08 17:09:26,151 [index-health-monitor] INFO [AtlasJanusGraphIndexClient.java:98] indexBackEnd=solr; isHealthy=true
2025-11-08 17:09:41,188 [NotificationHookConsumer thread-0] WARN [NotificationHookConsumer.java:635] Exception in NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas
[root@dev1 atlas]#

日誌中可見兩個關鍵異常:

異常類型

説明

GroupAuthorizationException

Atlas 無法加入 Kafka 消費組(group=atlas)

TopicAuthorizationException

Atlas 無權限訪問 ATLAS_HOOKATLAS_ENTITIES Topic

這表明 Atlas 成功通過 Kerberos 認證,但 Kafka 側未授予 ACL 訪問權限

三、排查與分析

Atlas 通過 NotificationHookConsumer 模塊監聽 Kafka 的元數據變更事件(ATLAS_HOOKATLAS_ENTITIES)。
Kerberos 開啓後,Kafka 默認啓用 SASL/GSSAPI + ACL 控制,任何主體若未在 ACL 中註冊,則拒絕連接。

因此需要為 atlas 用户手動授權。

四、修復方案 — 使用 kafka-acls 添加權限

切換到 Kafka 主節點並進入 bin 目錄:

cd /usr/bigtop/current/kafka-broker/bin

1、授權消費組權限(Group)

./kafka-acls.sh \
  --authorizer-properties zookeeper.connect=dev1:2181,dev2:2181,dev3:2181 \
  --add --allow-principal "User:atlas" \
  --group atlas --operation Read --operation Describe --resource-pattern-type LITERAL

2、授權 Topic 消費權限(ATLAS_HOOK)

./kafka-acls.sh \
  --authorizer-properties zookeeper.connect=dev1:2181,dev2:2181,dev3:2181 \
  --add --allow-principal "User:atlas" \
  --topic ATLAS_HOOK --operation Read --operation Describe --resource-pattern-type LITERAL

3、授權 Topic 寫入權限(ATLAS_ENTITIES)

./kafka-acls.sh \
  --authorizer-properties zookeeper.connect=dev1:2181,dev2:2181,dev3:2181 \
  --add --allow-principal "User:atlas" \
  --topic ATLAS_ENTITIES --operation Write --operation Describe --resource-pattern-type LITERAL

五、執行結果驗證

執行後返回如下輸出,説明權限添加成功:

Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name=atlas, patternType=LITERAL)`:
        (principal=User:atlas, host=*, operation=DESCRIBE, permissionType=ALLOW)
        (principal=User:atlas, host=*, operation=READ, permissionType=ALLOW)

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=atlas, patternType=LITERAL)`:
        (principal=User:atlas, host=*, operation=DESCRIBE, permissionType=ALLOW)
        (principal=User:atlas, host=*, operation=READ, permissionType=ALLOW)

Topic 授權輸出類似:

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=ATLAS_HOOK, patternType=LITERAL)`:
        (principal=User:atlas, host=*, operation=DESCRIBE, permissionType=ALLOW)
        (principal=User:atlas, host=*, operation=READ, permissionType=ALLOW)

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=ATLAS_ENTITIES, patternType=LITERAL)`:
        (principal=User:atlas, host=*, operation=WRITE, permissionType=ALLOW)
        (principal=User:atlas, host=*, operation=DESCRIBE, permissionType=ALLOW)

【Ambari開啓Kerberos】- Atlas啓動 - Kafka權限異常_#ambari

驗證成功標誌
返回的 “Current ACLs for resource …” 表示授權已生效,atlas 用户具備讀寫描述權限。