You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "lkgen (Jira)" <ji...@apache.org> on 2022/11/15 11:39:00 UTC
[jira] [Updated] (KAFKA-14390) Kafka and Zookeeper with FIPS SASL has error
[ https://issues.apache.org/jira/browse/KAFKA-14390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
lkgen updated KAFKA-14390:
--------------------------
Language: (was: Java)
> Kafka and Zookeeper with FIPS SASL has error
> --------------------------------------------
>
> Key: KAFKA-14390
> URL: https://issues.apache.org/jira/browse/KAFKA-14390
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.1, 3.3.1
> Reporter: lkgen
> Priority: Major
>
> When setting Zookeeper to work with SASL plain and Kafka to connect to zookeeper with SASL and Java has FIPS enabled on a FIPS enabled Redhat machine
> Kafka cannot connect with zookeeper
> Used Apache Kafka 3.3.1 for both zookeeper and client
> Operating system Redhat 8
> Java 11 installed using yum install java-11-openjdk
> set fips mode using command as root
> fips-mode-setup --enable
> rebooted machine using
> systemctl reboot
> verified fips mode with
> fips-mode-setup --check
> set JAVA_HOME to /usr/lib/jvm/jre-11
> in config/zookeeper.properties, added properties
> admin.enableServer = false
> authProvider.1 = org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> requireClientAuthScheme = sasl
> in config/server.properties, added properties
> advertised.listeners = SASL_PLAINTEXT://localhost:9092
> listeners = SASL_PLAINTEXT://:9092
> security.inter.broker.protocol = SASL_PLAINTEXT
> sasl.mechanism.inter.broker.protocol = PLAIN
> sasl.enabled.mechanisms = PLAIN
> super.users = User:admin
> $HOME/zookeeper_jaas.conf value:
> Server {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> username="admin"
> password="0x572f372b5da34874a3fdf4d8002f"
> user_admin="0x572f372b5da34874a3fdf4d8002f";
> };
> $HOME/server_jaas.conf value:
> KafkaServer {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> username="admin"
> password="0x572f372b5da34874a3fdf4d8002f"
> user_admin="0x572f372b5da34874a3fdf4d8002f";
> };
> Client {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> username="admin"
> password="0x572f372b5da34874a3fdf4d8002f";
> };
> for zookeeper, in kafka directory ran
> setenv JAVA_HOME /usr/lib/jvm/jre-11
> setenv KAFKA_OPTS -Djava.security.auth.login.config=$HOME/zookeeper_jaas.conf
> ./bin/zookeeper-server-start.sh ./config/zookeeper.properties
> for kafka, in kafka directory ran
> setenv JAVA_HOME /usr/lib/jvm/jre-11
> setenv KAFKA_OPTS -Djava.security.auth.login.config=$HOME/server_jaas.conf
> ./bin/kafka-server-start.sh ./config/server.properties
> Kafka exits with SASL error
> [2022-11-15 13:21:04,344] ERROR SASL authentication with Zookeeper Quorum member failed. (org.apache.zookeeper.ClientCnxn)
> javax.security.sasl.SaslException: saslClient failed to initialize properly: it's null.
> at org.apache.zookeeper.client.ZooKeeperSaslClient.initialize(ZooKeeperSaslClient.java:399)
> at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1220)
> [2022-11-15 13:21:04,348] INFO EventThread shut down for session: 0x1000575ab110000 (org.apache.zookeeper.ClientCnxn)
> [2022-11-15 13:21:04,348] INFO [ZooKeeperClient Kafka server] Closing. (kafka.zookeeper.ZooKeeperClient)
> [2022-11-15 13:21:04,351] INFO [ZooKeeperClient Kafka server] Closed. (kafka.zookeeper.ZooKeeperClient)
> [2022-11-15 13:21:04,355] ERROR Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
> kafka.zookeeper.ZooKeeperClientAuthFailedException: Auth failed either before or while waiting for connection
> at kafka.zookeeper.ZooKeeperClient.waitUntilConnected(ZooKeeperClient.scala:260)
> at kafka.zookeeper.ZooKeeperClient.<init>(ZooKeeperClient.scala:108)
> at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1980)
> at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:503)
> at kafka.server.KafkaServer.startup(KafkaServer.scala:203)
> at kafka.Kafka$.main(Kafka.scala:109)
> at kafka.Kafka.main(Kafka.scala)
> [2022-11-15 13:21:04,356] INFO shutting down (kafka.server.KafkaServer)
> [2022-11-15 13:21:04,363] INFO App info kafka.server for 0 unregistered (org.apache.kafka.common.utils.AppInfoParser)
> [2022-11-15 13:21:04,363] INFO shut down completed (kafka.server.KafkaServer)
> [2022-11-15 13:21:04,363] ERROR Exiting Kafka due to fatal exception during startup. (kafka.Kafka$)
> kafka.zookeeper.ZooKeeperClientAuthFailedException: Auth failed either before or while waiting for connection
> at kafka.zookeeper.ZooKeeperClient.waitUntilConnected(ZooKeeperClient.scala:260)
> at kafka.zookeeper.ZooKeeperClient.<init>(ZooKeeperClient.scala:108)
> at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1980)
> at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:503)
> at kafka.server.KafkaServer.startup(KafkaServer.scala:203)
> at kafka.Kafka$.main(Kafka.scala:109)
> at kafka.Kafka.main(Kafka.scala)
> [2022-11-15 13:21:04,368] INFO shutting down (kafka.server.KafkaServer)
> When removing FIPS by changing the java conf/security/java.security to have
> security.useSystemPropertiesFile=false
> The problem does not happen but this property disables FIPS
--
This message was sent by Atlassian Jira
(v8.20.10#820010)