Kafka Exception GroupAuthorizationException
org.apache.kafka.common.errors.GroupAuthorizationException
Non-retriable
Security
GroupAuthorizationException is a Kafka exception (org.apache.kafka.common.errors.GroupAuthorizationException).
Common Causes
- Consumer group principal lacks ACL for GROUP:READ on the consumer group ID used in group.id config
- Wildcard group ACL exists for a different prefix pattern that does not match the actual group.id
- ACLs were defined on a specific group name but client is using a dynamically generated group.id (e.g., with UUID suffix)
Solutions
- Add group READ ACL: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation Read --group <group-id>
- Use a stable, predictable group.id in your consumer config so ACLs can be applied to it reliably
- Check for typos between the ACL resource name and the actual group.id using kafka-acls.sh --bootstrap-server localhost:9092 --list --group <group-id>
Example Stack Trace
org.apache.kafka.common.errors.GroupAuthorizationException: Group authorization failed.Diagnostic Commands
# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list --group <group-id>
# Look for authorization failures in logs
grep 'GROUP_AUTHORIZATION_FAILED\|group authorization' /var/log/kafka/server.log | tail -20Related
Protocol error: GROUP_AUTHORIZATION_FAILED (code 30)
Related Security exceptions: AuthenticationException · AuthorizationException · AuthorizerNotReadyException · ClusterAuthorizationException · IllegalSaslStateException · SaslAuthenticationException · SslAuthenticationException · TopicAuthorizationException
Hitting
GroupAuthorizationException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.