Reputation: 1982
Transiently kerberos authentication failure with Kafka client application
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
Upvotes: 1
Views: 12299
Answers (2)
Reputation: 978
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL) sasl.mechanism=GSSAPI (or PLAIN)use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
Upvotes: 0
Reputation: 649
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
Upvotes: 0
Related Questions
- Kafka Console consumer with kerberos authentication
- Kafka - Could not find a 'KafkaClient' entry in the JAAS configuration java
- Kafka with Kerberos
- PCF Kafka with Kerberos authentication - Running Locally but Failing in PCF
- Kafka kerberos configuration issues
- Kafka Console Consumer on Kerberized Cluster : KRBError : Additional pre-authentication required, Server not found in Kerberos database
- Kafka Username password authentication Issue
- Kafka SaslAuthenticationException Occuring on Ad-hoc basis for SASL_SSL Protocol
- Renew Kerberos Ticket with Spring Kafka
- Spring Kafka Client unable to get messages from a Kerberos enabled Kafka Broker topic