You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Christian <en...@gmail.com> on 2017/01/07 14:54:05 UTC
Problem connecting to ZooKeeper with Kafka SASL enabled
Hi,
I'm trying to set up SASL_PLAINTEXT authentication between the
producer/consumer clients and the Kafka brokers only. I am not too worried
about the broker to broker SASL nor do I want Kafka Broker to ZooKeeper
SASL Authentication. I would prefer the just require authentication for the
clients to Kafka and that's it.
The problem I am having is that when I turn on SASL, my broker to zk
connection times out.
Initiating client connection, connectString=ZK1:2181,ZK2:2181,ZK3:2181
sessionTimeout=40000
watcher=io.confluent.admin.utils.ZookeeperConnectionWatcher@5a2e4553
Opening socket connection to server ZK1:2181
Socket connection established to ZK1:2181, initiating session
Session establishment complete on server ZK1:2181 sessionid =
0x15976c66b690106, negotiated timeout = 40000
Timed out waiting for connection to Zookeeper server
[ZK1:2181,ZK2:2181,ZK3:2181].
Session: 0x15976c66b690106 closed
EventThread shut down
I am using Kafka 0.10.1.0 and ZooKeeper 3.4.9
The following are the settings I have for SASL:
KAFKA_OPTS="-Djava.security.auth.login.config=/var/lib/kafka/config/kafka_server_jaas.conf
-Dzookeeper.sasl.client=false"
inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN
*Kafka.listeners=S*ASL_PLAINTEXT://0.0.0.0:92
my kafka_server_jaas.conf file looks like the following:
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
Do you have any suggestions? I have tried many combinations. Without
setting zookeeper.sasl.client=false, I get a SASL error that says I
need to define the Client portion of the jaas config file to talk with
ZooKeeper. setting it to false, gives me this timeout, but only when I
also set the -Djava.security.auth... property.
I know, I'm missing a small thing.
Thanks,
Christian
Re: Problem connecting to ZooKeeper with Kafka SASL enabled
Posted by Christian <en...@gmail.com>.
I figured it out. I am using Confluent 3.1.1's docker images. There is a
file in
https://github.com/confluentinc/cp-docker-images/blob/master/debian/base/include/cub
which looks for an environment variable of "ZOOKEEPER_SASL_ENABLED" which
defaults to true if using jaas. I simply set that var to false and I got
past the problem.
On Sat, Jan 7, 2017 at 7:54 AM, Christian <en...@gmail.com> wrote:
> Hi,
>
> I'm trying to set up SASL_PLAINTEXT authentication between the
> producer/consumer clients and the Kafka brokers only. I am not too worried
> about the broker to broker SASL nor do I want Kafka Broker to ZooKeeper
> SASL Authentication. I would prefer the just require authentication for the
> clients to Kafka and that's it.
>
> The problem I am having is that when I turn on SASL, my broker to zk
> connection times out.
>
> Initiating client connection, connectString=ZK1:2181,ZK2:2181,ZK3:2181
> sessionTimeout=40000 watcher=io.confluent.admin.utils.
> ZookeeperConnectionWatcher@5a2e4553
> Opening socket connection to server ZK1:2181
> Socket connection established to ZK1:2181, initiating session
> Session establishment complete on server ZK1:2181 sessionid =
> 0x15976c66b690106, negotiated timeout = 40000
> Timed out waiting for connection to Zookeeper server
> [ZK1:2181,ZK2:2181,ZK3:2181].
> Session: 0x15976c66b690106 closed
> EventThread shut down
>
> I am using Kafka 0.10.1.0 and ZooKeeper 3.4.9
>
> The following are the settings I have for SASL:
>
> KAFKA_OPTS="-Djava.security.auth.login.config=/var/lib/
> kafka/config/kafka_server_jaas.conf -Dzookeeper.sasl.client=false"
>
> inter.broker.protocol=SASL_PLAINTEXT
>
> sasl.enabled.mechanisms=PLAIN
>
> *Kafka.listeners=S*ASL_PLAINTEXT://0.0.0.0:92
>
>
> my kafka_server_jaas.conf file looks like the following:
>
> KafkaServer {
>
> org.apache.kafka.common.security.plain.PlainLoginModule required
>
> username="admin"
>
> password="admin-secret"
>
> user_admin="admin-secret"
>
> user_alice="alice-secret";
>
> };
>
> Do you have any suggestions? I have tried many combinations. Without setting zookeeper.sasl.client=false, I get a SASL error that says I need to define the Client portion of the jaas config file to talk with ZooKeeper. setting it to false, gives me this timeout, but only when I also set the -Djava.security.auth... property.
>
> I know, I'm missing a small thing.
>
> Thanks,
>
> Christian
>
>