kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From HE Ye <Ye...@alcatel-lucent.com>
Subject RE: SASL error when tring to connect kafka to kerberos server
Date Tue, 08 Nov 2016 03:04:43 GMT

Hi,

Thanks for your cue. 
But where to configure kafka subject and how to add Kerberos subject permission?

Searched docs and thought for a few days but couldn't figure out.

Thanks,
Ye

-----Original Message-----
From: Martin Gainty [mailto:mgainty@hotmail.com] 
Sent: Friday, November 04, 2016 8:39 PM
To: users@kafka.apache.org
Subject: Re: SASL error when tring to connect kafka to kerberos server

//server is using a JAAS-authenticated subject: determine service principal name and hostname
from kafka server's subject.


elevated privilege authentication implements thru kafka-subject so when you establish your
kerberos sasl server authenticator


SaslServerAuthenticator(String node, final Subject subject, KerberosShortNamer kerberosNameParser,
String host, int maxReceiveSize)


what did you set your kafka-subject to?


hint:if your subject does not have permission it will fail auth


https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html


M-

Single Sign-on Using Kerberos in Java - Oracle<https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html>
docs.oracle.com
Mayank Upadhyay Ram Marti ABSTRACT. A significant enhancement to the Java security architecture
is the capability to achieve single sign-on using Kerberos Version 5 ...



________________________________
From: HE Ye <Ye.He@alcatel-lucent.com>
Sent: Friday, November 4, 2016 5:34 AM
To: users@kafka.apache.org; yassine chantit
Subject: RE: SASL error when tring to connect kafka to kerberos server


Hi,

This is my server.properties (It works fine in SSL mode)


listeners=PLAINTEXT://10.160.32.151:9092,SSL://10.160.32.151:9093,SASL_SSL://10.160.32.151:9094
ssl.keystore.location=/root/server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/root/server.truststore.jks
ssl.truststore.password=test1234

security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=GSSAPI

sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka


Thanks,
Ye

-----Original Message-----
From: Yacine Chantit [mailto:yaschantit@yahoo.fr.INVALID]
Sent: Friday, November 04, 2016 5:21 PM
To: users@kafka.apache.org; yassine chantit <yaschantit@yahoo.fr>
Subject: Re: SASL error when tring to connect kafka to kerberos server

Are you specifying the option << -security-protocol SASL_PLAINTEXT >> in your
command as well?

> Le 4 nov. 2016 à 08:56, yassine chantit <yaschantit@yahoo.fr.INVALID> a écrit
:
>
> Hi,Did you have in your jaas conf a section to configure zookeeper client to use kerberos
as well ?Something like this : Client {       com.sun.security.auth.module.Krb5LoginModule
required       useKeyTab=true       keyTab="/path/to/client/keytab"       storeKey=true  
    useTicketCache=true       principal="yourzookeeperclient";};
>
>
>    Le Vendredi 4 novembre 2016 8h47, HE Ye <Ye.He@alcatel-lucent.com> a écrit
:
>
>
>
>
> Hello expert,
>
> I need help with the following error. I was tring to connect kafka to kerveros server
to verify SASL. I see this error when ZkClient tries to authenticate with the zookeeper server.
In the Kerberos logs I see tickets being exchanged. I followed everything in documentation.
Couldn't figure out why it failed.
>
> zookeeper log:
>
> [2016-11-03 09:01:01,149] INFO Accepted socket connection from /127.0.0.1:55176 (org.apache.zookeeper.server.NIOServerCnxnFactory)
> [2016-11-03 09:01:01,154] INFO Client attempting to establish new session at /127.0.0.1:55176
(org.apache.zookeeper.server.ZooKeeperServer)
> [2016-11-03 09:01:01,159] INFO Established session 0x1582a4ef33d0005 with negotiated
timeout 6000 for client /127.0.0.1:55176 (org.apache.zookeeper.server.ZooKeeperServer)
> [2016-11-03 09:01:01,182] ERROR cnxn.saslServer is null: cnxn object did not initialize
its saslServer properly. (org.apache.zookeeper.server.ZooKeeperServer)
> [2016-11-03 09:01:01,550] WARN caught end of stream exception (org.apache.zookeeper.server.NIOServerCnxn)
> EndOfStreamException: Unable to read additional data from client sessionid 0x1582a4ef33d0005,
likely client has closed socket
>         at org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:228)
>         at org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:208)
>         at java.lang.Thread.run(Thread.java:745)
> [2016-11-03 09:01:01,551] INFO Closed socket connection for client /127.0.0.1:55176 which
had sessionid 0x1582a4ef33d0005 (org.apache.zookeeper.server.NIOServerCnxn)
> [2016-11-03 09:01:09,004] INFO Expiring session 0x1582a4ef33d0005, timeout of 6000ms
exceeded (org.apache.zookeeper.server.ZooKeeperServer)
> [2016-11-03 09:01:09,006] INFO Processed session termination for sessionid: 0x1582a4ef33d0005
(org.apache.zookeeper.server.PrepRequestProcessor)
>
> kafka log:
> [2016-11-03 09:01:01,118] INFO TGT valid starting at:        Thu Nov 03 09:00:54 CDT
2016 (org.apache.zookeeper.Login)
> [2016-11-03 09:01:01,119] INFO TGT expires:                  Fri Nov 04 09:00:54 CDT
2016 (org.apache.zookeeper.Login)
> [2016-11-03 09:01:01,119] INFO TGT refresh sleeping until: Fri Nov 04 04:53:02 CDT 2016
(org.apache.zookeeper.Login)
> [2016-11-03 09:01:01,151] INFO Socket connection established to localhost.localdomain/127.0.0.1:2181,
initiating session (org.apache.zookeeper.ClientCnxn)
> [2016-11-03 09:01:01,161] INFO Session establishment complete on server localhost.localdomain/127.0.0.1:2181,
sessionid = 0x1582a4ef33d0005, negotiated timeout = 6000 (org.apache.zookeeper.ClientCnxn)
> [2016-11-03 09:01:01,163] INFO zookeeper state changed (SyncConnected) (org.I0Itec.zkclient.ZkClient)
> [2016-11-03 09:01:01,182] ERROR SASL authentication failed using login context 'Client'.
(org.apache.zookeeper.client.ZooKeeperSaslClient)
> [2016-11-03 09:01:01,183] INFO zookeeper state changed (AuthFailed) (org.I0Itec.zkclient.ZkClient)
> [2016-11-03 09:01:01,183] INFO Terminate ZkClient event thread. (org.I0Itec.zkclient.ZkEventThread)
> [2016-11-03 09:01:01,184] FATAL Fatal error during KafkaServer startup. Prepare to shutdown
(kafka.server.KafkaServer)
> org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
>         at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946)
>         at org.I0Itec.zkclient.ZkClient.waitUntilConnected(ZkClient.java:923)
>         at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1230)
>         at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:156)
>         at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:130)
>         at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:75)
>         at kafka.utils.ZkUtils$.apply(ZkUtils.scala:57)
>         at kafka.server.KafkaServer.initZk(KafkaServer.scala:294)
>         at kafka.server.KafkaServer.startup(KafkaServer.scala:180)
>         at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37)
>         at kafka.Kafka$.main(Kafka.scala:67)
>         at kafka.Kafka.main(Kafka.scala)
> [2016-11-03 09:01:01,193] INFO shutting down (kafka.server.KafkaServer)
> [2016-11-03 09:01:01,199] INFO shut down completed (kafka.server.KafkaServer)
>
> Kerberos logs
>
> Nov 03 09:00:54 YeTarget51-0-0-1 krb5kdc[1178](info): AS_REQ (4 etypes {18 17 16 23})
10.160.32.151: ISSUE: authtime 1478181654, etypes {rep=18 tkt=18 ses=18}, kafka/kafka1@EXAMPLE.COM<mailto:kafka/kafka1@EXAMPLE.COM>
for krbtgt/EXAMPLE.COM@EXAMPLE.COM<mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM>
> Nov 03 09:00:54 YeTarget51-0-0-1 krb5kdc[1178](info): TGS_REQ (4 etypes {18 17 16 23})
10.160.32.151: ISSUE: authtime 1478181654, etypes {rep=18 tkt=18 ses=18}, kafka/kafka1@EXAMPLE.COM<mailto:kafka/kafka1@EXAMPLE.COM>
for zookeeper/localhost.localdomain@EXAMPLE.COM<mailto:zookeeper/localhost.localdomain@EXAMPLE.COM>
>
>
> Thanks,
> Ye
>
>


Mime
View raw message