You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@metron.apache.org by nickwallen <gi...@git.apache.org> on 2017/04/07 16:29:31 UTC

[GitHub] incubator-metron issue #507: METRON-819: Document kafka console producer par...

Github user nickwallen commented on the issue:

    https://github.com/apache/incubator-metron/pull/507
  
    I went through your instructions and all seemed well with the world.  But then I tried to use the `kafka-console-producer` to actually write data to Kafka and it fails  Any ideas what the problem might be?
    
    ```
    [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
    [metron@node1 ~]$ echo "foo" | kafka-console-producer.sh --broker-list node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT
    [2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the next expiry date: Sat Apr 08 16:28:58 UTC 2017.This process will not be able to authenticate new SASL connections after that time (for example, it will not be able to authenticate a new connection with a Kafka Broker).  Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife null ' within kadmin, or instead, to generate a keytab for null. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread now. (org.apache.kafka.common.security.kerberos.KerberosLogin)
    [2017-04-07 16:29:00,897] WARN Error while fetching metadata with correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
    [2017-04-07 16:29:00,897] ERROR Error when sending message to topic yaf with key: null, value: 3 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
    org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [yaf]
    ```
    
    I then tried to go back and check the Kafka ACLs and am now getting an error.  I was able to set the ACLs, but now I cannot see them.
    
    ```
    [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
    [metron@node1 ~]$ kafka-acls.sh --list --topic yaf --authorizer-properties zookeeper.connect=${ZOOKEEPER}:2181
    [2017-04-07 16:24:47,794] WARN Could not login: the client is being asked for a password, but the Zookeeper client code does not currently support obtaining a password from the user. Make sure that the client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)' and restart the client. If you still get this message after that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first determine if you are using a password or a keytab. If the former, run kinit in a Unix shell in the environment of the user who is running this Zookeeper client using the command 'kinit <princ>' (where <princ> is the name of the client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos principal, and <keytab> is the location of the keytab file). After manually refreshing your cache, restart this client. If you continue to see this message after manually refreshing yo
 ur cache, ensure that your KDC host's clock is in sync with this host's clock. (org.apache.zookeeper.client.ZooKeeperSaslClient)
    [2017-04-07 16:24:47,796] WARN SASL configuration failed: javax.security.auth.login.LoginException: No password provided Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
    Error while executing ACL command: Authentication failure
    org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
    	at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946)
    
    ```


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Re: [GitHub] incubator-metron issue #507: METRON-819: Document kafka console producer par...

Posted by Michael Miklavcic <mi...@gmail.com>.

Can you try listing and applying acls with the root user instead of metron?

On Fri, Apr 7, 2017 at 10:29 AM, nickwallen <gi...@git.apache.org> wrote:

> Github user nickwallen commented on the issue:
>
>     https://github.com/apache/incubator-metron/pull/507
>
>     I went through your instructions and all seemed well with the world.
> But then I tried to use the `kafka-console-producer` to actually write data
> to Kafka and it fails  Any ideas what the problem might be?
>
>     ```
>     [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
> metron@EXAMPLE.COM
>     [metron@node1 ~]$ echo "foo" | kafka-console-producer.sh
> --broker-list node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT
>     [2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the
> next expiry date: Sat Apr 08 16:28:58 UTC 2017.This process will not be
> able to authenticate new SASL connections after that time (for example, it
> will not be able to authenticate a new connection with a Kafka Broker).
> Ask your system administrator to either increase the 'renew until' time by
> doing : 'modprinc -maxrenewlife null ' within kadmin, or instead, to
> generate a keytab for null. Because the TGT's expiry cannot be further
> extended by refreshing, exiting refresh thread now.
> (org.apache.kafka.common.security.kerberos.KerberosLogin)
>     [2017-04-07 16:29:00,897] WARN Error while fetching metadata with
> correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED}
> (org.apache.kafka.clients.NetworkClient)
>     [2017-04-07 16:29:00,897] ERROR Error when sending message to topic
> yaf with key: null, value: 3 bytes with error: (org.apache.kafka.clients.
> producer.internals.ErrorLoggingCallback)
>     org.apache.kafka.common.errors.TopicAuthorizationException: Not
> authorized to access topics: [yaf]
>     ```
>
>     I then tried to go back and check the Kafka ACLs and am now getting an
> error.  I was able to set the ACLs, but now I cannot see them.
>
>     ```
>     [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
> metron@EXAMPLE.COM
>     [metron@node1 ~]$ kafka-acls.sh --list --topic yaf
> --authorizer-properties zookeeper.connect=${ZOOKEEPER}:2181
>     [2017-04-07 16:24:47,794] WARN Could not login: the client is being
> asked for a password, but the Zookeeper client code does not currently
> support obtaining a password from the user. Make sure that the client is
> configured to use a ticket cache (using the JAAS configuration setting
> 'useTicketCache=true)' and restart the client. If you still get this
> message after that, the TGT in the ticket cache has expired and must be
> manually refreshed. To do so, first determine if you are using a password
> or a keytab. If the former, run kinit in a Unix shell in the environment of
> the user who is running this Zookeeper client using the command 'kinit
> <princ>' (where <princ> is the name of the client's Kerberos principal). If
> the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of
> the Kerberos principal, and <keytab> is the location of the keytab file).
> After manually refreshing your cache, restart this client. If you continue
> to see this message after manually refreshing yo
>  ur cache, ensure that your KDC host's clock is in sync with this host's
> clock. (org.apache.zookeeper.client.ZooKeeperSaslClient)
>     [2017-04-07 16:24:47,796] WARN SASL configuration failed:
> javax.security.auth.login.LoginException: No password provided Will
> continue connection to Zookeeper server without SASL authentication, if
> Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
>     Error while executing ACL command: Authentication failure
>     org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication
> failure
>         at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.
> java:946)
>
>     ```
>
>
> ---
> If your project is set up for it, you can reply to this email and have your
> reply appear on GitHub as well. If your project does not have this feature
> enabled and wishes so, or if the feature is enabled but not working, please
> contact infrastructure at infrastructure@apache.org or file a JIRA ticket
> with INFRA.
> ---
>