You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Manikumar (JIRA)" <ji...@apache.org> on 2017/09/22 11:37:04 UTC
[jira] [Resolved] (KAFKA-5015) SASL/SCRAM authentication failures
are hidden
[ https://issues.apache.org/jira/browse/KAFKA-5015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manikumar resolved KAFKA-5015.
------------------------------
Resolution: Duplicate
Resolving as duplicate of KAFKA-4764
> SASL/SCRAM authentication failures are hidden
> ---------------------------------------------
>
> Key: KAFKA-5015
> URL: https://issues.apache.org/jira/browse/KAFKA-5015
> Project: Kafka
> Issue Type: Improvement
> Components: core
> Affects Versions: 0.10.2.0
> Reporter: Johan Ström
>
> During experimentation with multiple brokers and SCRAM authentication, the brokers didn't seem to connect properly.
> Apparently the receiving server does not log connection failures (and their cause) unless you enable DEBUG logging on org.apache.kafka.common.network.Selector.
> Expected: that the rejected connections is logged (without stack trace) without having to enable DEBUG.
> (The root cause of my problem was that I hadn't yet added the user to the Zk-backed SCRAM configuration)
> The controller flooded controller.log with WARNs:
> {code}
> [2017-04-05 15:33:42,850] WARN [Controller-1-to-broker-1-send-thread], Controller 1's connection to broker kafka02:9093 (id: 1 rack: null) was unsuccessful (kafka.controller.RequestSendThread)
> java.io.IOException: Connection to kafka02:9093 (id: 1 rack: null) failed
> {code}
> The peer does not log anything in any log, until debugging was enabled:
> {code}
> [2017-04-05 15:28:58,373] DEBUG Accepted connection from /10.10.0.5:43670 on /10.10.0.6:9093 and assigned it to processor 4, sendBufferSize [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: [102400|102400] (kafka.network.Acceptor)
> [2017-04-05 15:28:58,374] DEBUG Processor 4 listening to new connection from /10.10.0.5:43670 (kafka.network.Processor)
> [2017-04-05 15:28:58,376] DEBUG Set SASL server state to HANDSHAKE_REQUEST (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,376] DEBUG Handle Kafka request SASL_HANDSHAKE (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,378] DEBUG Using SASL mechanism 'SCRAM-SHA-512' provided by client (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,381] DEBUG Setting SASL/SCRAM_SHA_512 server state to RECEIVE_CLIENT_FIRST_MESSAGE (org.apache.kafka.common.security.scram.ScramSaslServer)
> [2017-04-05 15:28:58,381] DEBUG Set SASL server state to AUTHENTICATE (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,383] DEBUG Setting SASL/SCRAM_SHA_512 server state to FAILED (org.apache.kafka.common.security.scram.ScramSaslServer)
> [2017-04-05 15:28:58,383] DEBUG Set SASL server state to FAILED (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,385] DEBUG Connection with /10.10.0.5 disconnected (org.apache.kafka.common.network.Selector)
> java.io.IOException: javax.security.sasl.SaslException: Authentication failed: Credentials could not be obtained [Caused by javax.security.sasl.SaslException: Authentication failed: Invalid user credentials]
> at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:250)
> at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:71)
> at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:350)
> at org.apache.kafka.common.network.Selector.poll(Selector.java:303)
> at kafka.network.Processor.poll(SocketServer.scala:494)
> at kafka.network.Processor.run(SocketServer.scala:432)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.security.sasl.SaslException: Authentication failed: Credentials could not be obtained [Caused by javax.security.sasl.SaslException: Authentication failed: Invalid user credentials]
> at org.apache.kafka.common.security.scram.ScramSaslServer.evaluateResponse(ScramSaslServer.java:104)
> at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:235)
> ... 6 more
> Caused by: javax.security.sasl.SaslException: Authentication failed: Invalid user credentials
> at org.apache.kafka.common.security.scram.ScramSaslServer.evaluateResponse(ScramSaslServer.java:94)
> ... 7 more
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)