You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Sergey Shevchenko (Jira)" <ji...@apache.org> on 2022/06/05 07:33:00 UTC
[jira] [Commented] (RANGER-3781) Unable to connect to Kafka instance.org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed during authentication due to invalid credentials with SASL mechanism GSSAPI
[ https://issues.apache.org/jira/browse/RANGER-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17550175#comment-17550175 ]
Sergey Shevchenko commented on RANGER-3781:
-------------------------------------------
As i can see in RangerKafkaClient sources he does not know how use SSL parameters for connecting to kafka (ssl.truststore.location & ssl.truststore.password ) and have hardcoded the default Kafka-instance serviceName "kafka". But we need to use in our environment SASL_SSL/SSL instances with non default serviceNames.
Can You fix this issues in a short time?
> Unable to connect to Kafka instance.org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed during authentication due to invalid credentials with SASL mechanism GSSAPI
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-3781
> URL: https://issues.apache.org/jira/browse/RANGER-3781
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 3.0.0
> Environment: Centos-7 & Ubuntu-20.04
> ConfluentKafka-7.1.0
> Ranger-3.0.0-Snapshot (22 may 2022)
> Reporter: Sergey Shevchenko
> Priority: Major
> Attachments: kafka-in-rangerAdmin.JPG, kafkaConsoleConsumer.JPG
>
>
> Unable to connect to Kafka instance.org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed during authentication due to invalid credentials with SASL mechanism GSSAPI
> We cannot retrieve topics list in RangerAdmin from our SSL+kerberized Kafka instance with customized Kafka-service name. "TestConnection" from the RangerAdmin UI fails for our instance:
> [2022-06-05 10:17:54,761] INFO [SocketServer listenerType=ZK_BROKER, nodeId=1] Failed authentication with /10.120.74.248 (Authentication failed during authentication due to invalid credentials with SASL mechanism GSSAPI) (org.apache.kafka.common.network.Selector)
> !kafka-in-rangerAdmin.JPG!
> At the same time standard kafka-console consumer working good:
> kafkaServer.out (fragment):
> [2022-06-05 09:56:15,543] INFO Successfully authenticated client: authenticationID=dl-etl@SEVERSTAL.SEVERSTALGROUP.COM; authorizationID=dl-etl@SEVERSTAL.SEVERSTALGROUP.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
> [2022-06-05 09:56:18,744] INFO \{"repoType":9,"repo":"kafkats","reqUser":"dl-etl","evtTime":"2022-06-05 09:56:15.582","access":"consume","resource":"test","resType":"topic","action":"consume","result":1,"agent":"kafka","policy":7,"enforcer":"ranger-acl","cliIP":"10.120.74.22","reqData":"test","agentHost":"stal-dtl-109","logType":"RangerAudit","id":"cda2610d-6643-48c3-a4f8-df326c1dee9d-11","seq_num":23,"event_count":2,"event_dur_ms":75,"tags":[],"cluster_name":"","policy_version":4} (xaaudit)
> [2022-06-05 09:56:18,744] INFO \{"repoType":9,"repo":"kafkats","reqUser":"dl-etl","evtTime":"2022-06-05 09:56:15.289","access":"describe","resource":"test","resType":"topic","action":"describe","result":1,"agent":"kafka","policy":7,"enforcer":"ranger-acl","cliIP":"10.120.74.22","reqData":"test","agentHost":"stal-dtl-109","logType":"RangerAudit","id":"cda2610d-6643-48c3-a4f8-df326c1dee9d-3","seq_num":7,"event_count":3,"event_dur_ms":261,"tags":[],"cluster_name":"","policy_version":4} (xaaudit)
> [2022-06-05 09:56:18,745] INFO \{"repoType":9,"repo":"kafkats","reqUser":"dl-etl","evtTime":"2022-06-05 09:56:15.309","access":"describe","resource":"console-consumer-12414","resType":"consumergroup","action":"describe","result":1,"agent":"kafka","policy":6,"enforcer":"ranger-acl","cliIP":"10.120.74.22","reqData":"console-consumer-12414","agentHost":"stal-dtl-109","logType":"RangerAudit","id":"cda2610d-6643-48c3-a4f8-df326c1dee9d-4","seq_num":9,"event_count":2,"event_dur_ms":180,"tags":[],"cluster_name":"","policy_version":1} (xaaudit)
> [2022-06-05 09:56:18,745] INFO \{"repoType":9,"repo":"kafkats","reqUser":"dl-etl","evtTime":"2022-06-05 09:56:15.355","access":"consume","resource":"console-consumer-12414","resType":"consumergroup","action":"consume","result":1,"agent":"kafka","policy":6,"enforcer":"ranger-acl","cliIP":"10.120.74.22","reqData":"console-consumer-12414","agentHost":"stal-dtl-109","logType":"RangerAudit","id":"cda2610d-6643-48c3-a4f8-df326c1dee9d-5","seq_num":11,"event_count":3,"event_dur_ms":47,"tags":[],"cluster_name":"","policy_version":1} (xaaudit)
> [2022-06-05 09:56:21,744] INFO \{"repoType":9,"repo":"kafkats","reqUser":"dl-etl","evtTime":"2022-06-05 09:56:16.169","access":"consume","resource":"test","resType":"topic","action":"consume","result":1,"agent":"kafka","policy":7,"enforcer":"ranger-acl","cliIP":"10.120.74.22","reqData":"test","agentHost":"stal-dtl-109","logType":"RangerAudit","id":"cda2610d-6643-48c3-a4f8-df326c1dee9d-13","seq_num":27,"event_count":10,"event_dur_ms":4546,"tags":[],"cluster_name":"","policy_version":4} (xaaudit)
> [2022-06-05 09:56:21,744] INFO \{"repoType":9,"repo":"kafkats","reqUser":"dl-etl","evtTime":"2022-06-05 09:56:18.483","access":"consume","resource":"console-consumer-12414","resType":"consumergroup","action":"consume","result":1,"agent":"kafka","policy":6,"enforcer":"ranger-acl","cliIP":"10.120.74.22","reqData":"console-consumer-12414","agentHost":"stal-dtl-109","logType":"RangerAudit","id":"cda2610d-6643-48c3-a4f8-df326c1dee9d-18","seq_num":37,"event_count":1,"event_dur_ms":1,"tags":[],"cluster_name":"","policy_version":1} (xaaudit)
> !kafkaConsoleConsumer.JPG!
--
This message was sent by Atlassian Jira
(v8.20.7#820007)