You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Wayland Goodliffe (Jira)" <ji...@apache.org> on 2021/04/29 16:18:00 UTC

[jira] [Created] (KAFKA-12732) Possible Kerberos configuration bug in mirrormaker

Wayland Goodliffe created KAFKA-12732:
-----------------------------------------

             Summary: Possible Kerberos configuration bug in mirrormaker
                 Key: KAFKA-12732
                 URL: https://issues.apache.org/jira/browse/KAFKA-12732
             Project: Kafka
          Issue Type: Bug
          Components: mirrormaker
    Affects Versions: 2.8.0, 1.0.0
            Reporter: Wayland Goodliffe


I'm fairly sure that I've found an obscure configuration bug with mirrormaker when using kerberos. Luckily there is an easy workaround.

I have tested the old mirrormaker in kafka v1.0.0, as well as mirrormaker 2 in v2.8.0 (both legacy mode and otherwise) - so I think there's a good chance this affects all versions.

The set up is as follows:
 * consumer and producer both use
 ** security.protocol=SASL_SSL
 ** sasl.mechanism=GSSAPI
 * consumer and producer are in the same realm, but have different sasl.kerberos.service.name
 ** e.g. kafka-source and kafka-target
 * you specify the service names via sasl.kerberos.service.name (rather than serviceName in the jaas.conf)
 ** either in mm2.properties source.sasl.kerberos.service.name and target.sasl.kerberos.service.name
 ** or for legacy mode in consumer.config and producer.config

Then
 * mirrormaker uses the wrong service name in the second adminclient connection when trying to validate the response ticket.
 ** note that it reports the correct values when it logs the client config, so this is likely due to some hidden issue deeper in kerberos code.
 * For example, in my case with 2.8.0, it would try to validate kafka-source/target.host@REALM instead of validating kafka-target/target.host@REALM
 * The resultant exception was 
KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVERdue to kafka-source not being defined for target.host

Workaround
 * ensure you specify separate jaas.conf for consumer/producer via sasl.jaas.config properties (instead of via -Djava.security.auth.login.config)
 * Use the jaas.conf field serviceName to specify the correct values for the brokers.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)