Details
Description
I have 2 kafka servers configured to start with kafka security, I try to start the akfka servers with the JASS below ==>
server 1
KafkaServer
// ZooKeeper client authentication
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/opt/kafka/config/kafka.keytab" principal="kafka/kafka1.test.net@TEST.NET"; }
;
server 2 :
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/kafka/config/kafka.keytab"
principal="kafka/kafka2.test.net@TEST.NET";
};
// ZooKeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/kafka/config/kafka.keytab"
principal="kafka/kafka2.test.net@TEST.NET";
};
the problem:
when I start the kafka server 1 all is fine, but when I try to start the second server I have an issue because it haven't the access to the zookeeper node (/brokers) for kafka. the all zookeeper path /brokers is blocked by the first server, so the second server haven't the right access to write in this path .
The ACL of /brokers is the fqdn of the first server, normally should be open for all and close ACL of the path /broker/ids/1, in this case the second server can write in /brokers and close the /brokers/ids/2 for him.
I founded a solution but I am not sure that the right solution, I create a new kakfa-kerberos user, so for all server I use the same user :
Server1
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/kafka/config/kafka.keytab"
principal="kafka/kafka1.test.net@TEST.NET";
};
// ZooKeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/kafka/config/kafkaZk.keytab"
principal="kafka/kafkaZk.test.net@TEST.NET";
};
________________________________________
Server2
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/kafka/config/kafka.keytab"
principal="kafka/kafka2.test.net@TEST.NET";
};
// ZooKeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/kafka/config/kafkaZk.keytab"
principal="kafka/kafkaZk.test.net@TEST.NET";
};
Can help me or clarify to me how I can use Kafka security correctly ?!!