You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Tyler Monahan (JIRA)" <ji...@apache.org> on 2018/09/14 21:07:00 UTC
[jira] [Created] (KAFKA-7416) kerberos credentials not being
refreshed
Tyler Monahan created KAFKA-7416:
------------------------------------
Summary: kerberos credentials not being refreshed
Key: KAFKA-7416
URL: https://issues.apache.org/jira/browse/KAFKA-7416
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 1.1.0
Environment: ubnutu 14, aws
Reporter: Tyler Monahan
My setup uses kerberos for auth between consumers/producers/brokers in aws. When an instances goes down in aws a new one spins back up to replace the old one and reuses the old kerberos dns name and kafka id. I am running into an issue where the consumers/producers/brokers are caching the credentials for the old server and they continue to use them to login to the new server which fails since it has a different kerberos key. I have not found a way to make kafka clear out the login credentials so it can login to the new node.
I had hoped I could update the jaas config to use credentials that were not stored in java but it seems like storeKey=true is required to work so I can't do that. My other hope was that I could modify the /etc/krb5.conf config to set a low life time on the tickets but kafka doesn't seem to honor that. If there was some way to configure java to expire the stored credentials periodically that might work.
This is the error I get initially when a node dies and a new one comes up from the kafka controller which tries to connect to it. Restarting the kafka brokers causes it to no longer have this error.
{code:java}
[RequestSendThread controllerId=3] Controller 3's connection to broker int-kafka-a-1.int.skytouch.io:9092 (id: 1 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism GSSAPI
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)