Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4411

broker don't have access to kafka zookeeper nodes

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Not A Problem
    • 0.9.0.1
    • None
    • admin, config
    • Red Hat Enterprise Linux Server release 7.0
      Java 1.8.0_66-b17
      Kafka 0.9.0.1
    • Important

    Description

      I have 2 kafka servers configured to start with kafka security, I try to start the akfka servers with the JASS below ==>

      server 1
      KafkaServer

      { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/opt/kafka/config/kafka.keytab" principal="kafka/kafka1.test.net@TEST.NET"; };

      // ZooKeeper client authentication
      Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/opt/kafka/config/kafka.keytab" principal="kafka/kafka1.test.net@TEST.NET"; }

      ;
      server 2 :
      KafkaServer {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      storeKey=true
      keyTab="/opt/kafka/config/kafka.keytab"
      principal="kafka/kafka2.test.net@TEST.NET";
      };

      // ZooKeeper client authentication
      Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      storeKey=true
      keyTab="/opt/kafka/config/kafka.keytab"
      principal="kafka/kafka2.test.net@TEST.NET";
      };

      the problem:

      when I start the kafka server 1 all is fine, but when I try to start the second server I have an issue because it haven't the access to the zookeeper node (/brokers) for kafka. the all zookeeper path /brokers is blocked by the first server, so the second server haven't the right access to write in this path .

      The ACL of /brokers is the fqdn of the first server, normally should be open for all and close ACL of the path /broker/ids/1, in this case the second server can write in /brokers and close the /brokers/ids/2 for him.

      I founded a solution but I am not sure that the right solution, I create a new kakfa-kerberos user, so for all server I use the same user :

      Server1
      KafkaServer {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      storeKey=true
      keyTab="/opt/kafka/config/kafka.keytab"
      principal="kafka/kafka1.test.net@TEST.NET";
      };

      // ZooKeeper client authentication
      Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      storeKey=true
      keyTab="/opt/kafka/config/kafkaZk.keytab"
      principal="kafka/kafkaZk.test.net@TEST.NET";
      };
      ________________________________________
      Server2
      KafkaServer {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      storeKey=true
      keyTab="/opt/kafka/config/kafka.keytab"
      principal="kafka/kafka2.test.net@TEST.NET";
      };

      // ZooKeeper client authentication
      Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      storeKey=true
      keyTab="/opt/kafka/config/kafkaZk.keytab"
      principal="kafka/kafkaZk.test.net@TEST.NET";
      };

      Can help me or clarify to me how I can use Kafka security correctly ?!!

      Attachments

        Activity

          People

            Unassigned Unassigned
            magarmes Mohammed amine GARMES
            Ismael Juma Ismael Juma
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 12h
                12h
                Remaining:
                Remaining Estimate - 12h
                12h
                Logged:
                Time Spent - Not Specified
                Not Specified