Kafka Exception TopicAuthorizationException
org.apache.kafka.common.errors.TopicAuthorizationException
Non-retriable
Security
TopicAuthorizationException is a Kafka exception (org.apache.kafka.common.errors.TopicAuthorizationException).
Common Causes
- ACL missing for the principal on the target topic — neither a TOPIC:READ/WRITE nor a wildcard resource ACL exists
- Client is authenticating with a different principal than expected (wrong keystore, wrong service account, SASL misconfiguration)
- Topic was recreated or renamed but ACLs were not migrated to the new resource name
Solutions
- Grant the required ACL: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation Read --topic <topic>
- Verify the authenticated principal in broker logs and compare to ACL definitions; fix client credentials if mismatched
- After topic recreation, re-apply all ACLs using your ACL-as-code pipeline or manually via kafka-acls.sh
Example Stack Trace
org.apache.kafka.common.errors.TopicAuthorizationException: Topic authorization failed.Diagnostic Commands
# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list --topic <topic-name>
# Look for authorization failures in logs
grep 'Authorization failed\|TOPIC_AUTHORIZATION_FAILED\|principal' /var/log/kafka/server.log | grep <topic-name> | tail -20Related
Protocol error: TOPIC_AUTHORIZATION_FAILED (code 29)
Related Security exceptions: AuthenticationException · AuthorizationException · AuthorizerNotReadyException · ClusterAuthorizationException · GroupAuthorizationException · IllegalSaslStateException · SaslAuthenticationException · SslAuthenticationException
Hitting
TopicAuthorizationException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.