What causes ClusterAuthorizationException?

Operation requires CLUSTER-level ACL (e.g., CREATE topics via auto-creation, describe cluster, alter configs) but principal only has topic-level ACLs Admin client attempting broker config changes or log dir reassignment without CLUSTER:ALTER or CLUSTER:ALTER_CONFIGS permission auto.create.topics.enable=true on broker but the producer/consumer principal lacks CLUSTER:CREATE permission

How do I fix ClusterAuthorizationException?

Grant cluster-level permission: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User: --operation --cluster Disable auto.create.topics.enable and pre-create topics explicitly to avoid requiring cluster-level ACLs for producers/consumers Audit which operations require CLUSTER scope in the Kafka docs and scope ACLs to the minimum necessary operations

Is ClusterAuthorizationException retriable?

No — ClusterAuthorizationException is not retriable. Retrying the same call will not help; the underlying cause must be fixed first.

Kafka Exception `ClusterAuthorizationException`

org.apache.kafka.common.errors.ClusterAuthorizationException

Non-retriable Security

ClusterAuthorizationException is a Kafka exception (org.apache.kafka.common.errors.ClusterAuthorizationException).

Common Causes

Operation requires CLUSTER-level ACL (e.g., CREATE topics via auto-creation, describe cluster, alter configs) but principal only has topic-level ACLs
Admin client attempting broker config changes or log dir reassignment without CLUSTER:ALTER or CLUSTER:ALTER_CONFIGS permission
auto.create.topics.enable=true on broker but the producer/consumer principal lacks CLUSTER:CREATE permission

Solutions

Grant cluster-level permission: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation <op> --cluster
Disable auto.create.topics.enable and pre-create topics explicitly to avoid requiring cluster-level ACLs for producers/consumers
Audit which operations require CLUSTER scope in the Kafka docs and scope ACLs to the minimum necessary operations

Example Stack Trace

org.apache.kafka.common.errors.ClusterAuthorizationException: Cluster authorization failed.

Diagnostic Commands

# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list --cluster

# Look for authorization failures in logs
grep 'CLUSTER_AUTHORIZATION_FAILED\|Cluster authorization failed' /var/log/kafka/server.log | tail -20

Protocol error: CLUSTER_AUTHORIZATION_FAILED (code 31)

Hitting ClusterAuthorizationException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.

Kafka Exception ClusterAuthorizationException

Common Causes

Solutions

Example Stack Trace

Diagnostic Commands

Related

Kafka Exception `ClusterAuthorizationException`