Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-6198

kerberos login fails

    XMLWordPrintableJSON

Details

    • Test
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 0.11.0.1
    • None
    • clients
    • None
    • raspberrypi

    Description

      I got very far with setting up kerberos on the raspberry pi as part of self study.

      I believe that the kafka server is happy with kerberos:

      [2017-11-10 12:17:51,659] INFO Successfully authenticated client: authenticationID=kafka/pi99.dev.ibm.com@DEV.IBM.COM; authorizationID=kafka/pi99.dev.ibm.com@DEV.IBM.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
      [2017-11-10 12:17:51,661] INFO Setting authorizedID: kafka (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)

      I have setup the kafka.security.auth.SimpleAclAuthorizer

      And granted the following access:

      Current ACLs for resource `Topic:kerberos-topic`:
      User:producer has Allow permission for operations: Describe from hosts: *
      User:producer has Allow permission for operations: Write from hosts: *
      User:producer@DEV.IBM.COM has Allow permission for operations: Describe from hosts: *
      User:producer@DEV.IBM.COM has Allow permission for operations: Write from hosts: *

      When I start the client, then I see it getting the kerberos ticket:

      [main] INFO org.apache.kafka.common.security.authenticator.AbstractLogin - Successfully logged in.
      [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT refresh thread started.
      [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT valid starting at: Fri Nov 10 12:50:11 CET 2017
      [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT expires: Fri Nov 10 22:50:11 CET 2017
      [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT refresh sleeping until: Fri Nov 10 21:13:37 CET 2017

      But the client fails to login:

      [kafka-producer-network-thread | producer-1] WARN org.apache.kafka.clients.NetworkClient - Connection to node -1 terminated during authentication. This may indicate that authentication failed due to invalid credentials.

      I do not see any warnings in the logs, so I do not have much to go on.

      What can I do to get my finger behind this issue?

      Thank you,

      Ronald - the NOOB

      Attachments

        Activity

          People

            Unassigned Unassigned
            Ronald van de Kuil Ronald van de Kuil
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: