You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Manoj Murumkar <ma...@gmail.com> on 2017/10/18 20:19:32 UTC

Enabling SASL_PLAINTEXT for Kafka REST

Folks,

I am having trouble enabling SASL_PLAINTEXT protocol for Kafka REST
component to work with secure cluster (that also uses same protocol). I am
sure I am missing something trivial. If someone can help, I'd really
appreciate it.

Here're my configs:

Startup script:

cat /bin/kafka-rest-start

...
exec $(dirname $0)/kafka-rest-run-class
-Djava.security.auth.login.config=/etc/kafka-rest/kafka_rest_zk_jaas.properties
io.confluent.kafkarest.KafkaRestMain "$@"

[root@or1010050208015 kafka-rest]# cat
/etc/kafka-rest/kafka_rest_zk_jaas.properties
/* Zookeeper authentication, since REST proxy is a client */
Client {
   org.apache.zookeeper.server.auth.DigestLoginModule required
   username="zk_admin"
   password="zk_admin_secret";
};


REST properties:

[root@or1010050208015 kafka-rest]# cat kafka-rest.properties

schema.registry.url=http://localhost:8081
zookeeper.connect=localhost:2181
bootstrap.servers=SASL_PLAINTEXT://or1010050208015:9092,SASL_PLAINTEXT://or1010050208016:9092,SASL_PLAINTEXT://or1010050208017:9092

# Kafka security
kafka.rest.resource.extension.class=io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension
# The authentication mechanism for the incoming requests is determined by
following - Only SSL allowed
#confluent.rest.auth.propagate.method=SSL
#ssl.client.auth=TRUE
# Principal (that is passed from Client) propagation happens via SASL
client.security.protocol=SASL_PLAINTEXT
client.sasl.jaas.config=/etc/kafka-rest/kafka_rest_jaas.properties
client.sasl.mechanism=PLAIN

Kafka REST JAAS file:

[root@or1010050208015 kafka-rest]# cat
/etc/kafka-rest/kafka_rest_jaas.properties
/* Broker authentication, list all the logins that end users will use? */
KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="kafka_admin"
  password="broker_secret";
};


I enabled DEBUG in logs and here's what I see (it's unable to talk to
broker):


[2017-10-18 19:47:37,851] TRACE Sending METADATA
{topics=[testacls],allow_auto_topic_creation=true} with correlation id 4 to
node -1 (org.apache.kafka.clients.NetworkClient:389)
[2017-10-18 19:47:37,852] DEBUG Connection with
or1010050208015.corp.adobe.com/10.50.208.15 disconnected
(org.apache.kafka.common.network.Selector:401)
java.io.EOFException
        at
org.apache.kafka.common.network.NetworkReceive.readFromReadableChannel(NetworkReceive.java:87)
        at
org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:75)
        at
org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:203)
        at
org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:167)
        at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:381)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:326)
        at
org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:433)
        at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:224)
        at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:162)
        at java.lang.Thread.run(Thread.java:748)
[2017-10-18 19:47:37,852] DEBUG Node -1 disconnected.
(org.apache.kafka.clients.NetworkClient:704)