You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Gangadhar Balikai (Jira)" <ji...@apache.org> on 2019/10/30 05:54:00 UTC
[jira] [Created] (KAFKA-9114) Kafka broker fails to establish
secure zookeeper connection via SSL.
Gangadhar Balikai created KAFKA-9114:
----------------------------------------
Summary: Kafka broker fails to establish secure zookeeper connection via SSL.
Key: KAFKA-9114
URL: https://issues.apache.org/jira/browse/KAFKA-9114
Project: Kafka
Issue Type: Bug
Components: core
Affects Versions: 2.3.0, 2.3.1
Reporter: Gangadhar Balikai
When i try to enable TLS/SSL between Kafka broker (tried 2.3.0 && 2.3.1) and zookeeper (3.5.5 & 3.5.6) cluster of 3 nodes.
kafka broker fails with following stack trace, i have given stacktrace, kafka & zookeeper configurations used below.
*JDK*: 1_8_0_161_64
{color:#de350b}[2019-10-30 03:52:10,036] ERROR Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer){color}
{color:#de350b}java.io.IOException: Couldn't instantiate org.apache.zookeeper.ClientCnxnSocketNetty{color}
{color:#de350b} at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851){color}
{color:#de350b} at org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:453){color}
{color:#de350b} at org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:384){color}
{color:#de350b} at kafka.zookeeper.ZooKeeperClient.<init>(ZooKeeperClient.scala:103){color}
{color:#de350b} at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1826){color}
{color:#de350b} at kafka.server.KafkaServer.createZkClient$1(KafkaServer.scala:364){color}
{color:#de350b} at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:387){color}
{color:#de350b} at kafka.server.KafkaServer.startup(KafkaServer.scala:207){color}
{color:#de350b} at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:38){color}
{color:#de350b} at kafka.Kafka$.main(Kafka.scala:84){color}
{color:#de350b} at kafka.Kafka.main(Kafka.scala){color}
{color:#de350b}Caused by: java.lang.NoSuchMethodException: org.apache.zookeeper.ClientCnxnSocketNetty.<init>(){color}
{color:#de350b} at java.lang.Class.getConstructor0(Class.java:3082){color}
{color:#de350b} at java.lang.Class.getDeclaredConstructor(Class.java:2178){color}
{color:#de350b} at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848){color}
{color:#de350b} ... 10 more{color}
{color:#de350b}[2019-10-30 03:52:10,039] INFO shutting down (kafka.server.KafkaServer){color}
{color:#de350b}[2019-10-30 03:52:10,046] INFO shut down completed (kafka.server.KafkaServer){color}
{color:#de350b}[2019-10-30 03:52:10,046] ERROR Exiting Kafka. (kafka.server.KafkaServerStartable){color}
{color:#de350b}[2019-10-30 03:52:10,048] INFO shutting down (kafka.server.KafkaServer){color}
STEPS.
1) I copied following zookeeper dependencies into kafka bin.
a) kafka 2.3.0 and zookeer 3.5.5
"zookeeper-3.5.6.jar" "zookeeper-jute-3.5.6.jar" "netty*.jar" "commons-cli-1.2.jar"
b) kafka 2.3.1 and zookeer 3.5.6
"zookeeper-3.5.6.jar" "zookeeper-jute-3.5.6.jar" "netty-buffer-4.1.42.Final.jar" "netty-buffer-4.1.42.Final.LICENSE.txt" "netty-codec-4.1.42.Final.jar" "netty-codec-4.1.42.Final.LICENSE.txt" "netty-common-4.1.42.Final.jar" "netty-common-4.1.42.Final.LICENSE.txt" "netty-handler-4.1.42.Final.jar" "netty-handler-4.1.42.Final.LICENSE.txt" "netty-resolver-4.1.42.Final.jar" "netty-resolver-4.1.42.Final.LICENSE.txt" "netty-transport-4.1.42.Final.jar" "netty-transport-4.1.42.Final.LICENSE.txt" "netty-transport-native-epoll-4.1.42.Final.jar" "netty-transport-native-epoll-4.1.42.Final.LICENSE.txt" "netty-transport-native-unix-common-4.1.42.Final.jar" "netty-transport-native-unix-common-4.1.42.Final.LICENSE.txt" "commons-cli-1.2.jar"
*2) Configurations:*
The *zookeeper* cluster looks good with
1) configuration *zoo.conf*.
{color:#505f79}quorum.auth.server.loginContext=QuorumServer{color}
{color:#505f79}quorum.auth.learner.loginContext=QuorumLearner{color}
{color:#505f79}syncLimit=2{color}
{color:#505f79}tickTime=2000{color}
{color:#505f79}server.3=broker1\:2888\:3888{color}
{color:#505f79}server.2=broker2\:2888\:3888{color}
{color:#505f79}server.1=broker3\:2888\:3888{color}
{color:#505f79}authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider{color}
{color:#505f79}initLimit=10{color}
{color:#505f79}secureClientPort=2281{color}
{color:#505f79}quorum.auth.learnerRequireSasl=true{color}
{color:#505f79}quorum.auth.enableSasl=true{color}
{color:#505f79}quorum.auth.kerberos.servicePrincipal=servicename/_HOST{color}
{color:#505f79}quorum.cnxn.threads.size=20{color}
{color:#505f79}zookeeper.client.secure=true{color}
{color:#505f79}quorum.auth.serverRequireSasl=true{color}
{color:#505f79}zookeeper.serverCnxnFactory=org.apache.zookeeper.ClientCnxnSocketNetty{color}
{color:#505f79}dataDir=../data/zookeeper/data/{color}
2) with *SERVER_JVMFLAGS* set to
-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.client.auth=none -Dzookeeper.ssl.keyStore.location=/path/to/keystore/key-store.jks-Dzookeeper.ssl.keyStore.password=****
-Dzookeeper.ssl.trustStore.location=/path/to/trust/store/trust-store.jks
-Dzookeeper.ssl.trustStore.password=****
before *zkServer.sh start*
B) *Kafka configurations.*
*Server.properties*
{color:#505f79}_sasl.mechanism.inter.broker.protocol=PLAIN_{color}
{color:#505f79}_socket.send.buffer.bytes=102400_{color}
{color:#505f79}_default.replication.factor=2_{color}
{color:#505f79}_socket.request.max.bytes=104857600_{color}
{color:#505f79}_ssl.keystore.location=/path/to/key/store/key-store.jks_{color}
{color:#505f79}_allow.auto.create.topics.enable=true_{color}
{color:#505f79}_log.retention.check.interval.ms=300000_{color}
{color:#505f79}_security.inter.broker.protocol=SASL_SSL_{color}
{color:#505f79}_super.users=User\:admin_{color}
{color:#505f79}_log.retention.hours=12_{color}
{color:#505f79}_num.io.threads=8_{color}
{color:#505f79}_sasl.enabled.mechanisms=PLAIN_{color}
{color:#505f79}_broker.id=2_{color}
{color:#505f79}_ssl.truststore.location=/path/to/trust/store/trust-store.jks_{color}
{color:#505f79}_gds.realm.file.path=*_{color}
{color:#505f79}_authorizer.class.name=CustomAuthorizer_{color}
{color:#505f79}_ssl.client.auth=none_{color}
{color:#505f79}_group.initial.rebalance.delay.ms=0_{color}
{color:#505f79}_log.dirs=data/kafka/logs/_{color}
{color:#505f79}_listeners=SASL_SSL\://domain-name\:9093_{color}
{color:#505f79}_ssl.endpoint.identification.algorithm=_{color}
{color:#505f79}_num.network.threads=3_{color}
{color:#505f79}_socket.receive.buffer.bytes=102400_{color}
{color:#505f79}_com.dresdnerkb.gdsrealm.credential=*_{color}
{color:#505f79}_log.segment.bytes=1073741824_{color}
{color:#505f79}_num.recovery.threads.per.data.dir=1_{color}
{color:#505f79}_num.partitions=2_{color}
{color:#505f79}_zookeeper.connection.timeout.ms=6000_{color}
{color:#505f79}_allow.everyone.if.no.acl.found=true_{color}
{color:#505f79}_zookeeper.connect=zoo1\:2281,__zoo2__\:2281,__zoo3__\:2281_{color}
2) *KAFKA_OPTS set to*
{color:#505f79}_export KAFKA_OPTS=" export KAFKA_OPTS=" -Dzookeeper.client.secure=true -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.keyStore.location=key-store.jks -Dzookeeper.ssl.keyStore.password=** -Dzookeeper.ssl.trustStore.location=trustStore.jks -Dzookeeper.ssl.trustStore.password=** -Djava.security.auth.login.config=$KAFKA_JAAS_FILE_DIR/kafka-server-jaas.conf"_{color}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)