Kafka Error INVALID_PRINCIPAL_TYPE
Error code 67 · Non-retriable Security
Supplied principalType is not supported.
Common Causes
- ACL command specifies a principal with a type other than `User` or `Group` (the only types supported by the default `StandardAuthorizer`/`AclAuthorizer`)
- Custom authorizer expects a different principal format than what the client or admin tool is sending
- Typo in principal type string (e.g., `user:` lowercase, or `SERVICE:` instead of `User:`)
Solutions
- Always use `User:<name>` or `Group:<name>` format in ACL commands: `kafka-acls.sh --allow-principal User:alice`
- If using a custom authorizer that supports additional principal types, ensure the client's SASL mechanism correctly sets the principal type in the authentication context
- Check the authorizer implementation for supported principal types and align client configuration accordingly
Diagnostic Commands
# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list | grep -v '^$' | head -20
# Look for authorization failures in logs
grep 'InvalidPrincipalType\|principalType' /path/to/kafka/logs/server.log | tail -10Related APIs
This error can be returned by: CreateDelegationToken
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.