metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Miklavcic <>
Subject Re: [GitHub] incubator-metron issue #507: METRON-819: Document kafka console producer par...
Date Fri, 07 Apr 2017 16:47:26 GMT
Can you try listing and applying acls with the root user instead of metron?

On Fri, Apr 7, 2017 at 10:29 AM, nickwallen <> wrote:

> Github user nickwallen commented on the issue:
>     I went through your instructions and all seemed well with the world.
> But then I tried to use the `kafka-console-producer` to actually write data
> to Kafka and it fails  Any ideas what the problem might be?
>     ```
>     [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
> metron@EXAMPLE.COM
>     [metron@node1 ~]$ echo "foo" |
> --broker-list node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT
>     [2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the
> next expiry date: Sat Apr 08 16:28:58 UTC 2017.This process will not be
> able to authenticate new SASL connections after that time (for example, it
> will not be able to authenticate a new connection with a Kafka Broker).
> Ask your system administrator to either increase the 'renew until' time by
> doing : 'modprinc -maxrenewlife null ' within kadmin, or instead, to
> generate a keytab for null. Because the TGT's expiry cannot be further
> extended by refreshing, exiting refresh thread now.
> (
>     [2017-04-07 16:29:00,897] WARN Error while fetching metadata with
> correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED}
> (org.apache.kafka.clients.NetworkClient)
>     [2017-04-07 16:29:00,897] ERROR Error when sending message to topic
> yaf with key: null, value: 3 bytes with error: (org.apache.kafka.clients.
> producer.internals.ErrorLoggingCallback)
>     org.apache.kafka.common.errors.TopicAuthorizationException: Not
> authorized to access topics: [yaf]
>     ```
>     I then tried to go back and check the Kafka ACLs and am now getting an
> error.  I was able to set the ACLs, but now I cannot see them.
>     ```
>     [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
> metron@EXAMPLE.COM
>     [metron@node1 ~]$ --list --topic yaf
> --authorizer-properties zookeeper.connect=${ZOOKEEPER}:2181
>     [2017-04-07 16:24:47,794] WARN Could not login: the client is being
> asked for a password, but the Zookeeper client code does not currently
> support obtaining a password from the user. Make sure that the client is
> configured to use a ticket cache (using the JAAS configuration setting
> 'useTicketCache=true)' and restart the client. If you still get this
> message after that, the TGT in the ticket cache has expired and must be
> manually refreshed. To do so, first determine if you are using a password
> or a keytab. If the former, run kinit in a Unix shell in the environment of
> the user who is running this Zookeeper client using the command 'kinit
> <princ>' (where <princ> is the name of the client's Kerberos principal).
> the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the
name of
> the Kerberos principal, and <keytab> is the location of the keytab file).
> After manually refreshing your cache, restart this client. If you continue
> to see this message after manually refreshing yo
>  ur cache, ensure that your KDC host's clock is in sync with this host's
> clock. (org.apache.zookeeper.client.ZooKeeperSaslClient)
>     [2017-04-07 16:24:47,796] WARN SASL configuration failed:
> No password provided Will
> continue connection to Zookeeper server without SASL authentication, if
> Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
>     Error while executing ACL command: Authentication failure
>     org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication
> failure
>         at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.
> java:946)
>     ```
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at or file a JIRA ticket
> with INFRA.
> ---

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message