You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Derar Alassi <de...@gmail.com> on 2016/08/08 21:08:18 UTC
Kafka ACLs CLI Auth Error
Hi all,
I have 3-node ZK and Kafka clusters. I have secured ZK with SASL. I got
the keytabs done for my brokers and they can connect to the ZK ensemble
just fine with no issues. All gravy!
Now, I am trying to set ACLs using the kafka-acls.sh CLI. Before that, I
did export the KAFKA_OPTS using the following command:
export KAFKA_OPTS="-Djava.security.auth.login.config=<path>/kafka_server_jaas.conf
-Djavax.net.debug=all -Dsun.security.krb5.debug=true -Djavax.net.debug=all
-Dsun.security.krb5.debug=true -Djava.security.krb5.conf=<path to krb
conf>/krb5.conf"
I enabled extra debugging too. The JAAS file has the following info:
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/<hostname>+kafka.keytab"
principal="kafka/<hostname>@MY_DOMAIN";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=true
storeKey=true
keyTab="/etc/<hostname>+kafka.keytab"
principal="kafka/<hostname>@MY_DOMAIN";
};
Note that I enabled useTicketCache in the client section.
I know that my krb5.conf file is good since the brokers are healthy and
consumer/producers are able to do their work.
Two scenarios:
1. When I enabled the useTicketCache=true, I get the following error:
*Aug 08, 2016 8:42:46 PM org.apache.zookeeper.ClientCnxn$SendThread
startConnectWARNING: SASL configuration failed:
javax.security.auth.login.LoginException: No key to store Will continue
connection to Zookeeper server without SASL authentication, if Zookeeper
server allows it.*
I execute "kinit kafka/<hostname>@<MY_DOMAIN> -k -t
/etc/<hostname>+kafka.keytab " on the same shell where I run the .sh CLI
tool.
2. When I remove userTicketCache, I get the following error:
*Aug 08, 2016 9:03:38 PM org.apache.zookeeper.ZooKeeper closeINFO: Session:
0x356621f18f70009 closedError while executing ACL command:
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /kafka-acl/TopicAug 08, 2016 9:03:38 PM
org.apache.zookeeper.ClientCnxn$EventThread runINFO: EventThread shut
downorg.I0Itec.zkclient.exception.ZkException:
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /kafka-acl/Topic at
org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)*
Here is the command I run to set the ACLs in all cases:
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<zk-host>:2181
--add --allow-principal User:Bob --producer --topic ssl-topic
I use Kafka 0.9.0.1. Note that I am using the same keytabs that my Brokers
(Kafka services) are using.
Any ideas what I am doing wrong or what I should do differently to get ACLs
set?
Thanks,
Derar
Re: Kafka ACLs CLI Auth Error
Posted by Derar Alassi <de...@gmail.com>.
Just for the record. The Kafka/ZK clusters were in a bad state that caused
this issue. I nuked the data dirs both ZK and Kafka and things work fine.
Unfortunately, I couldn't reproduce the error.
On Mon, Aug 8, 2016 at 5:10 PM, BigData dev <bi...@gmail.com> wrote:
> Hi,
> I think jaas config file need to be changed.
>
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/etc/security/keytabs/kafka.service.keytab"
> storeKey=true
> useTicketCache=false
> serviceName="zookeeper"
> principal="kafka/hostname.abc.com@abc.COM";
> };
>
>
> You can follow the blog which provides complete steps for Kafka ACLS
>
> https://developer.ibm.com/hadoop/2016/07/20/kafka-acls/
>
>
>
> Thanks,
>
> Bharat
>
>
>
>
> On Mon, Aug 8, 2016 at 2:08 PM, Derar Alassi <de...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > I have 3-node ZK and Kafka clusters. I have secured ZK with SASL. I got
> > the keytabs done for my brokers and they can connect to the ZK ensemble
> > just fine with no issues. All gravy!
> >
> > Now, I am trying to set ACLs using the kafka-acls.sh CLI. Before that, I
> > did export the KAFKA_OPTS using the following command:
> >
> >
> > export KAFKA_OPTS="-Djava.security.auth.login.config=<path>/
> > kafka_server_jaas.conf
> > -Djavax.net.debug=all -Dsun.security.krb5.debug=true
> -Djavax.net.debug=all
> > -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=<path to krb
> > conf>/krb5.conf"
> >
> > I enabled extra debugging too. The JAAS file has the following info:
> >
> > KafkaServer {
> > com.sun.security.auth.module.Krb5LoginModule required
> > useKeyTab=true
> > storeKey=true
> > keyTab="/etc/<hostname>+kafka.keytab"
> > principal="kafka/<hostname>@MY_DOMAIN";
> > };
> > Client {
> > com.sun.security.auth.module.Krb5LoginModule required
> > useKeyTab=true
> > useTicketCache=true
> > storeKey=true
> > keyTab="/etc/<hostname>+kafka.keytab"
> > principal="kafka/<hostname>@MY_DOMAIN";
> > };
> >
> > Note that I enabled useTicketCache in the client section.
> >
> > I know that my krb5.conf file is good since the brokers are healthy and
> > consumer/producers are able to do their work.
> >
> > Two scenarios:
> >
> > 1. When I enabled the useTicketCache=true, I get the following error:
> >
> > *Aug 08, 2016 8:42:46 PM org.apache.zookeeper.ClientCnxn$SendThread
> > startConnectWARNING: SASL configuration failed:
> > javax.security.auth.login.LoginException: No key to store Will continue
> > connection to Zookeeper server without SASL authentication, if Zookeeper
> > server allows it.*
> >
> > I execute "kinit kafka/<hostname>@<MY_DOMAIN> -k -t
> > /etc/<hostname>+kafka.keytab " on the same shell where I run the .sh CLI
> > tool.
> > 2. When I remove userTicketCache, I get the following error:
> >
> >
> >
> >
> >
> >
> >
> >
> > *Aug 08, 2016 9:03:38 PM org.apache.zookeeper.ZooKeeper closeINFO:
> Session:
> > 0x356621f18f70009 closedError while executing ACL command:
> > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> > NoAuth for /kafka-acl/TopicAug 08, 2016 9:03:38 PM
> > org.apache.zookeeper.ClientCnxn$EventThread runINFO: EventThread shut
> > downorg.I0Itec.zkclient.exception.ZkException:
> > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> > NoAuth for /kafka-acl/Topic at
> > org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)*
> >
> >
> > Here is the command I run to set the ACLs in all cases:
> > ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<zk-host>:
> > 2181
> > --add --allow-principal User:Bob --producer --topic ssl-topic
> >
> >
> > I use Kafka 0.9.0.1. Note that I am using the same keytabs that my
> Brokers
> > (Kafka services) are using.
> >
> >
> > Any ideas what I am doing wrong or what I should do differently to get
> ACLs
> > set?
> >
> > Thanks,
> > Derar
> >
>
Re: Kafka ACLs CLI Auth Error
Posted by BigData dev <bi...@gmail.com>.
Hi,
I think jaas config file need to be changed.
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/kafka.service.keytab"
storeKey=true
useTicketCache=false
serviceName="zookeeper"
principal="kafka/hostname.abc.com@abc.COM";
};
You can follow the blog which provides complete steps for Kafka ACLS
https://developer.ibm.com/hadoop/2016/07/20/kafka-acls/
Thanks,
Bharat
On Mon, Aug 8, 2016 at 2:08 PM, Derar Alassi <de...@gmail.com> wrote:
> Hi all,
>
> I have 3-node ZK and Kafka clusters. I have secured ZK with SASL. I got
> the keytabs done for my brokers and they can connect to the ZK ensemble
> just fine with no issues. All gravy!
>
> Now, I am trying to set ACLs using the kafka-acls.sh CLI. Before that, I
> did export the KAFKA_OPTS using the following command:
>
>
> export KAFKA_OPTS="-Djava.security.auth.login.config=<path>/
> kafka_server_jaas.conf
> -Djavax.net.debug=all -Dsun.security.krb5.debug=true -Djavax.net.debug=all
> -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=<path to krb
> conf>/krb5.conf"
>
> I enabled extra debugging too. The JAAS file has the following info:
>
> KafkaServer {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/etc/<hostname>+kafka.keytab"
> principal="kafka/<hostname>@MY_DOMAIN";
> };
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> useTicketCache=true
> storeKey=true
> keyTab="/etc/<hostname>+kafka.keytab"
> principal="kafka/<hostname>@MY_DOMAIN";
> };
>
> Note that I enabled useTicketCache in the client section.
>
> I know that my krb5.conf file is good since the brokers are healthy and
> consumer/producers are able to do their work.
>
> Two scenarios:
>
> 1. When I enabled the useTicketCache=true, I get the following error:
>
> *Aug 08, 2016 8:42:46 PM org.apache.zookeeper.ClientCnxn$SendThread
> startConnectWARNING: SASL configuration failed:
> javax.security.auth.login.LoginException: No key to store Will continue
> connection to Zookeeper server without SASL authentication, if Zookeeper
> server allows it.*
>
> I execute "kinit kafka/<hostname>@<MY_DOMAIN> -k -t
> /etc/<hostname>+kafka.keytab " on the same shell where I run the .sh CLI
> tool.
> 2. When I remove userTicketCache, I get the following error:
>
>
>
>
>
>
>
>
> *Aug 08, 2016 9:03:38 PM org.apache.zookeeper.ZooKeeper closeINFO: Session:
> 0x356621f18f70009 closedError while executing ACL command:
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /kafka-acl/TopicAug 08, 2016 9:03:38 PM
> org.apache.zookeeper.ClientCnxn$EventThread runINFO: EventThread shut
> downorg.I0Itec.zkclient.exception.ZkException:
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /kafka-acl/Topic at
> org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)*
>
>
> Here is the command I run to set the ACLs in all cases:
> ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<zk-host>:
> 2181
> --add --allow-principal User:Bob --producer --topic ssl-topic
>
>
> I use Kafka 0.9.0.1. Note that I am using the same keytabs that my Brokers
> (Kafka services) are using.
>
>
> Any ideas what I am doing wrong or what I should do differently to get ACLs
> set?
>
> Thanks,
> Derar
>