Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-12732

Possible Kerberos configuration bug in mirrormaker



    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 1.0.0, 2.8.0
    • None
    • mirrormaker
    • None


      I'm fairly sure that I've found an obscure configuration bug with mirrormaker when using kerberos. Luckily there is an easy workaround.

      I have tested the old mirrormaker in kafka v1.0.0, as well as mirrormaker 2 in v2.8.0 (both legacy mode and otherwise) - so I think there's a good chance this affects all versions.

      The set up is as follows:

      • consumer and producer both use
        • security.protocol=SASL_SSL
        • sasl.mechanism=GSSAPI
      • consumer and producer are in the same realm, but have different sasl.kerberos.service.name
        • e.g. kafka-source and kafka-target
      • you specify the service names via sasl.kerberos.service.name (rather than serviceName in the jaas.conf)
        • either in mm2.properties source.sasl.kerberos.service.name and target.sasl.kerberos.service.name
        • or for legacy mode in consumer.config and producer.config


      • mirrormaker uses the wrong service name in the second adminclient connection when trying to validate the response ticket.
        • note that it reports the correct values when it logs the client config, so this is likely due to some hidden issue deeper in kerberos code.
      • For example, in my case with 2.8.0, it would try to validate kafka-source/target.host@REALM instead of validating kafka-target/target.host@REALM
      • The resultant exception was 
        KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
        • due to kafka-source not being defined for target.host


      • ensure you specify separate jaas.conf for consumer/producer via sasl.jaas.config properties (instead of via -Djava.security.auth.login.config)
      • Use the jaas.conf field serviceName to specify the correct values for the brokers.




            Unassigned Unassigned
            WaylandGoodliffe Wayland Goodliffe
            1 Vote for this issue
            2 Start watching this issue