kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian <engr...@gmail.com>
Subject Re: Kafka SASL_PLAINTEXT and authentication/authorization backend failure
Date Thu, 19 Jan 2017 19:59:37 GMT
Thanks for the response Gerrit! It seems like authorization has the same
behavior. Have you experienced that as well?

On Thu, Jan 19, 2017 at 11:48 AM, Gerrit Jansen van Vuuren <
gerritjvv@gmail.com> wrote:

> Hi,
>
> I've added kerberos support for https://github.com/gerritjvv/kafka-fast
> and
> have seen that the kafka brokers do not send any response if the SASL
> authentication is not correct or accepted, thus causing the client to hang
> while waiting for a response from kafka.
>
> Some things that might help to debug:
>
>    - kafka 0.9's SASL auth is in-compatible with 0.10 and not using the
>    correct version will cause the kafka client to hang.
>    -  use -Dsun.security.krb5.debug=true and
> -Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
>     to see debug info about what's going on.
>
>
> Some reading material can be found at:
> https://github.com/gerritjvv/kafka-fast/blob/master/kafka-clj/Kerberos.md
>
> and if you want to see or need for testing a vagrant env with kerberos +
> kafka configured see
> https://github.com/gerritjvv/kafka-fast/blob/master/kafka-
> clj/doc/vagrant.md
>
>
>
>
> On Thu, Jan 19, 2017 at 7:37 PM, Christian <engrean@gmail.com> wrote:
>
> > I have successfully gotten SASL_PLAINTEXT configured on Kafka cluster. We
> > implemented our own LoginModule and Server with the following caveat
> that I
> > am guessing I am doing something wrong.
> >
> > The LoginModule's login method acquires a session id from an internal
> > security system and populates the subject with the relevant information.
> In
> > the server evaluateResponse we then validate that session.  On success,
> > everything is great. However, when the evaulateResponse returns with a
> > failure (throws an exception), the producer client just hangs when
> sending
> > a message until the configured timeout occurs. Interestingly enough, we
> see
> > the evaulateResponse method is getting called about every second until
> the
> > the producer client finally times out.
> >
> > We get this same behavior when using the PlainLoginModule provided with
> > Kafka after changing the password on the client side to something
> different
> > from the server side.
> >
> > Is this expected behavior?
> >
> > Thanks,
> > Christian
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message