metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nickwallen <...@git.apache.org>
Subject [GitHub] incubator-metron issue #507: METRON-819: Document kafka console producer par...
Date Fri, 28 Apr 2017 16:55:58 GMT
Github user nickwallen commented on the issue:

    https://github.com/apache/incubator-metron/pull/507
  
    I also remember (after fighting with this for a while this morning) that if you don't
have a JAAS config file defined then it won't work.  Should this be part of the docs in this
PR??
    
    Without it, you just get this error.
    ```
    [root@y136 ~]# kafka-console-consumer.sh  --zookeeper y113:2181 --topic bro --security-protocol
SASL_PLAINTEXT
    [2017-04-28 16:47:20,596] WARN Could not login: the client is being asked for a password,
but the Zookeeper client code does not currently support obtaining a password from the user.
Make sure that the client is configured to use a ticket cache (using the JAAS configuration
setting 'useTicketCache=true)' and restart the client. If you still get this message after
that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first
determine if you are using a password or a keytab. If the former, run kinit in a Unix shell
in the environment of the user who is running this Zookeeper client using the command 'kinit
<princ>' (where <princ> is the name of the client's Kerberos principal). If the
latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of
the Kerberos principal, and <keytab> is the location of the keytab file). After manually
refreshing your cache, restart this client. If you continue to see this message after manually
refreshing yo
 ur cache, ensure that your KDC host's clock is in sync with this host's clock. (org.apache.zookeeper.client.ZooKeeperSaslClient)
    [2017-04-28 16:47:20,599] WARN SASL configuration failed: javax.security.auth.login.LoginException:
No password provided Will continue connection to Zookeeper server without SASL authentication,
if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
    No brokers found in ZK.
    ```
    After doing the following, then it works for me.
    
    1. Define `~/.java.login.config` 
    
    ```
    [root@y137 ~]# cat ~/.java.login.config
    KafkaClient {
      com.sun.security.auth.module.Krb5LoginModule required
      useTicketCache=false
      useKeyTab=true
      principal="yaf/y137...@EXAMPLE.COM"
      keyTab="/etc/security/keytabs/yaf.service.keytab"
      renewTicket=true
      debug=true
      serviceName="kafka"
      storeKey=true;
    };
    ```
    
    2. Tell the JVM where to find your JAAS file.
    
    ```
    [root@y137 ~]# cat /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/java.security | grep
login
    # Class to instantiate as the javax.security.auth.login.Configuration
    login.configuration.provider=sun.security.provider.ConfigFile
    # Default login configuration file
    #login.config.url.1=file:${user.home}/.java.login.config
    login.config.url.1=file:${user.home}/.java.login.config
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message