Kafka Error CLUSTER_AUTHORIZATION_FAILED
Error code 31 · Non-retriable Security
Cluster authorization failed.
Common Causes
- Operation requires CLUSTER-level ACL (e.g., CREATE topics via auto-creation, describe cluster, alter configs) but principal only has topic-level ACLs
- Admin client attempting broker config changes or log dir reassignment without CLUSTER:ALTER or CLUSTER:ALTER_CONFIGS permission
- auto.create.topics.enable=true on broker but the producer/consumer principal lacks CLUSTER:CREATE permission
Solutions
- Grant cluster-level permission: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation <op> --cluster
- Disable auto.create.topics.enable and pre-create topics explicitly to avoid requiring cluster-level ACLs for producers/consumers
- Audit which operations require CLUSTER scope in the Kafka docs and scope ACLs to the minimum necessary operations
Diagnostic Commands
# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list --cluster
# Look for authorization failures in logs
grep 'CLUSTER_AUTHORIZATION_FAILED\|Cluster authorization failed' /var/log/kafka/server.log | tail -20Related APIs
This error can be returned by: AlterReplicaLogDirs · DeleteShareGroupState · DescribeClientQuotas · DescribeLogDirs · DescribeUserScramCredentials · GetTelemetrySubscriptions · InitProducerId · InitializeShareGroupState · ReadShareGroupState · ReadShareGroupStateSummary · WriteShareGroupState
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.