Hi,
I'm trying to change super.users config at runtime, without broker restart.
The next command is used (I use the same approach for all brokers, but
posting output only from one broker here not to overload):
> /opt/confluent/bin/kafka-configs --bootstrap-server localhost:9093
> --command-config kafka.properties --entity-type brokers --entity-name 2
> --alter --add-config 'super.users=User:kafka;'
I can see in the kafka.log it was applied successfully:
> {"short_message":"Processing override for entityPath: brokers/2 with
> config: HashMap(super.users -> User:kafka;)","full_message":"Processing
> override for entityPath: brokers/2 with config: HashMap(super.users ->
> User:kafka;)","timestamp":1.700571334002E9,"level":6,"facility":"logstash-gelf","LoggerName":"kafka.server.DynamicConfigManager","SourceSimpleClassName":"Logging","SourceClassName":"kafka.utils.Logging","Time":"2023-11-21
> 12:55:34,002","Severity":"INFO","SourceLineNumber":66,"Thread":"/config/changes-event-process-thread","SourceMethodName":"info"}
But in kafka-authorizer.log with a loglevel set to DEBUG I can still see
another user is considered as a super user:
> {"short_message":"principal = User:management is a super user, allowing
> operation without checking acls.","full_message":"principal =
> User:management is a super user, allowing operation without checking
> acls.","timestamp":1.700572220417E9,"level":7,"facility":"logstash-gelf","LoggerName":"kafka.authorizer.logger","SourceSimpleClassName":"AclAuthorizer","SourceClassName":"kafka.security.authorizer.AclAuthorizer","Time":"2023-11-21
> 13:10:20,417","Severity":"DEBUG","SourceLineNumber":493,"Thread":"data-plane-kafka-request-handler-31","SourceMethodName":"isSuperUser"}
Using kafka-configs seems to be showing new config, but I suspect it's
marked as null due to sensitive=true:
> super.users=null sensitive=true
> synonyms={DYNAMIC_BROKER_CONFIG:super.users=null,
> STATIC_BROKER_CONFIG:super.users=null}
So the question is if super.users can be upgraded at runtime at all, or
it's a read-only config and should be upgraded only via cluster restart?
Thanks
