metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nickwallen <>
Subject [GitHub] incubator-metron issue #507: METRON-819: Document kafka console producer par...
Date Fri, 07 Apr 2017 16:29:31 GMT
Github user nickwallen commented on the issue:
    I went through your instructions and all seemed well with the world.  But then I tried
to use the `kafka-console-producer` to actually write data to Kafka and it fails  Any ideas
what the problem might be?
    [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
    [metron@node1 ~]$ echo "foo" | --broker-list node1:6667 --topic
yaf --security-protocol SASL_PLAINTEXT
    [2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the next expiry date:
Sat Apr 08 16:28:58 UTC 2017.This process will not be able to authenticate new SASL connections
after that time (for example, it will not be able to authenticate a new connection with a
Kafka Broker).  Ask your system administrator to either increase the 'renew until' time by
doing : 'modprinc -maxrenewlife null ' within kadmin, or instead, to generate a keytab for
null. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread
now. (
    [2017-04-07 16:29:00,897] WARN Error while fetching metadata with correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED}
    [2017-04-07 16:29:00,897] ERROR Error when sending message to topic yaf with key: null,
value: 3 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
    org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics:
    I then tried to go back and check the Kafka ACLs and am now getting an error.  I was able
to set the ACLs, but now I cannot see them.
    [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
    [metron@node1 ~]$ --list --topic yaf --authorizer-properties zookeeper.connect=${ZOOKEEPER}:2181
    [2017-04-07 16:24:47,794] WARN Could not login: the client is being asked for a password,
but the Zookeeper client code does not currently support obtaining a password from the user.
Make sure that the client is configured to use a ticket cache (using the JAAS configuration
setting 'useTicketCache=true)' and restart the client. If you still get this message after
that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first
determine if you are using a password or a keytab. If the former, run kinit in a Unix shell
in the environment of the user who is running this Zookeeper client using the command 'kinit
<princ>' (where <princ> is the name of the client's Kerberos principal). If the
latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of
the Kerberos principal, and <keytab> is the location of the keytab file). After manually
refreshing your cache, restart this client. If you continue to see this message after manually
refreshing yo
 ur cache, ensure that your KDC host's clock is in sync with this host's clock. (org.apache.zookeeper.client.ZooKeeperSaslClient)
    [2017-04-07 16:24:47,796] WARN SASL configuration failed:
No password provided Will continue connection to Zookeeper server without SASL authentication,
if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
    Error while executing ACL command: Authentication failure
    org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
    	at org.I0Itec.zkclient.ZkClient.waitForKeeperState(

If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at or file a JIRA ticket
with INFRA.

View raw message