You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Manikumar (JIRA)" <ji...@apache.org> on 2018/10/04 13:44:00 UTC

[jira] [Commented] (KAFKA-7274) Incorrect subject credential used in inter-broker communication

    [ https://issues.apache.org/jira/browse/KAFKA-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16638241#comment-16638241 ] 

Manikumar commented on KAFKA-7274:
----------------------------------

[~rsivaram] As described in the JIRA, incase of static JAAS configuration, we are loading all login modules to each configured sasl mechanism.
This is causing authentication to fail. Any suggestions to fix this?

> Incorrect subject credential used in inter-broker communication
> ---------------------------------------------------------------
>
>                 Key: KAFKA-7274
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7274
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0
>            Reporter: TAO XIAO
>            Priority: Major
>
> We configured one broker setup to enable multiple SASL mechanisms using JAAS config file but we failed to start up the broker.
>  
> Here is security section of server.properties
>  
> {{listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN}}{{}}
>  
> JAAS file
>  
> {noformat}
> sasl_plaintext.KafkaServer {
>   org.apache.kafka.common.security.plain.PlainLoginModule required
>   username="admin"
>   password="admin-secret"
>   user_admin="admin-secret"
>   user_alice="alice-secret";
>   org.apache.kafka.common.security.scram.ScramLoginModule required
>   username="admin1"
>   password="admin-secret";
> };{noformat}
>  
> Exception we got
>  
> {noformat}
> [2018-08-10 12:12:13,070] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 failed authentication due to: Authentication failed: Invalid username or password (org.apache.kafka.clients.NetworkClient){noformat}
>  
> If we changed to use broker configuration property we can start broker successfully
>  
> {noformat}
> listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN
> listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret" user_admin="admin-secret" user_alice="alice-secret";
> listener.name.sasl_plaintext.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin1" password="admin-secret";{noformat}
>  
> I believe this issue is caused by Kafka assigning all login modules to each defined mechanism when using JAAS file which results in Login class to add both username defined in each login module to the same subject
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java#L101]
>  
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L63]
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)