You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Gibson, Todd" <To...@earlywarning.com> on 2016/05/12 16:14:15 UTC

Bug in KafkaLog4jAppender Kerberos support

I apologize if this is the wrong place to report bugs...

And I'm not sure this is really a bug, just an improvement that would make my life easier.

The code below was added to the KafkaLog4jAppender in version 10.0.0 to support Kerberos.  I think the null check for clientJaasConfPath should be moved, similar to how kerb5ConfPath is handled.  The reason is that clientJaasConfPath is only used to set the java.security.auth.login.config system property, which can also be set elsewhere (JVM option, other code).  If the system property has already been set, I see no reason to require it to be specified again in the log4j properties.

        if (securityProtocol != null && securityProtocol.contains("SASL") && saslKerberosServiceName != null && clientJaasConfPath != null) {
            props.put(SASL_KERBEROS_SERVICE_NAME, saslKerberosServiceName);
            System.setProperty("java.security.auth.login.config", clientJaasConfPath);
            if (kerb5ConfPath != null) {
                System.setProperty("java.security.krb5.conf", kerb5ConfPath);
            }
        }

Was there a reason for requiring it here?

Thanks,

Todd Gibson

Re: Bug in KafkaLog4jAppender Kerberos support

Posted by Gwen Shapira <gw...@confluent.io>.

In general, https://issues.apache.org/jira/browse/KAFKA would be a
good place to report such issues.

You can also submit a solution through a github pull request:
https://github.com/apache/kafka

As far as I can see, you are correct and there is no reason to require
a configuration if you can also pass it through a system property.

Gwen

On Thu, May 12, 2016 at 9:14 AM, Gibson, Todd
<To...@earlywarning.com> wrote:
> I apologize if this is the wrong place to report bugs...
>
> And I'm not sure this is really a bug, just an improvement that would make my life easier.
>
> The code below was added to the KafkaLog4jAppender in version 10.0.0 to support Kerberos.  I think the null check for clientJaasConfPath should be moved, similar to how kerb5ConfPath is handled.  The reason is that clientJaasConfPath is only used to set the java.security.auth.login.config system property, which can also be set elsewhere (JVM option, other code).  If the system property has already been set, I see no reason to require it to be specified again in the log4j properties.
>
>         if (securityProtocol != null && securityProtocol.contains("SASL") && saslKerberosServiceName != null && clientJaasConfPath != null) {
>             props.put(SASL_KERBEROS_SERVICE_NAME, saslKerberosServiceName);
>             System.setProperty("java.security.auth.login.config", clientJaasConfPath);
>             if (kerb5ConfPath != null) {
>                 System.setProperty("java.security.krb5.conf", kerb5ConfPath);
>             }
>         }
>
> Was there a reason for requiring it here?
>
> Thanks,
>
> Todd Gibson