KafkaClient section not being picked up in jaas.conf

Question

I am attempting to use kerberos authentication with KafkaConsumer.

To that end I have added the following properties.

    props.put("security.protocol", "SASL_PLAINTEXT"); // Setting this means we try to look in jaas.conf
    props.put("sasl.kerberos.service.name", "kafka");

However, I am getting an error saying:

java.lang.IllegalArgumentException: Could not find a 'KafkaClient' entry in the JAAS configuration. System property 'java.security.auth.login.config' is /Users/jhutc/projects/molly/Monitor-Lizard-API/out/production/resources/hive_config/local/jaas.conf

Full error:

Caused by: org.apache.kafka.common.KafkaException: Failed to construct kafka consumer
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:799) ~[kafka-clients-2.0.0.jar:?]
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:615) ~[kafka-clients-2.0.0.jar:?]
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:596) ~[kafka-clients-2.0.0.jar:?]
at com.xxx.xx.moli.data.KafkaDataHelper.getConsumer(KafkaDataHelper.java:293) ~[classes/:?]
... 53 more
Caused by: java.lang.IllegalArgumentException: Could not find a 'KafkaClient' entry in the JAAS configuration. System property 'java.security.auth.login.config' is /Users/jhutc/projects/molly/Monitor-Lizard-API/out/production/resources/hive_config/local/jaas.conf
    at org.apache.kafka.common.security.JaasContext.defaultContext(JaasContext.java:133) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.common.security.JaasContext.load(JaasContext.java:98) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.common.security.JaasContext.loadClientContext(JaasContext.java:84) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:119) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:713) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:615) ~[kafka-clients-2.0.0.jar:?]
    at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:596) ~[kafka-clients-2.0.0.jar:?]
    at com.xxx.xx.moli.data.KafkaDataHelper.getConsumer(KafkaDataHelper.java:293) ~[classes/:?]
    ... 53 more

My jaas.conf looks like this:

KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="src/main/resources/hive_config/local/jhutc.keytab"
    principal="jhutc@AD.company.COM"
};

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="src/main/resources/hive_config/local/jhutc.keytab"
    principal="jhutc@AD.company.COM"
    debug=true;
};

Can anyone explain why I'm getting my error, and the KafkaClient section isn't being picked up?

(Incidentally, the second part of the jaas.conf file is being picked up correctly for a different part of the application.)

Answer 1

The exact syntax of the JAAS file can be tricky to get right. You need semi colons after each LoginModule item as well as after each block. So you may be missing a semi colon after principal="jhutc@AD.company.COM" in the KafkaClient block.

However, since Kafka 0.10.2, it's easier to use the sasl.jaas.config setting to configure a client to use SASL.

The documentation has a section how to configure it: http://kafka.apache.org/documentation/#security_sasl_kerberos_clientconfig

For example:

props.put("sasl.jaas.config", "com.sun.security.auth.module.Krb5LoginModule required " +
    "useKeyTab=true " +
    "storeKey=true " +
    "keyTab=\"src/main/resources/hive_config/local/jhutc.keytab\" " +
    "principal=\"jhutc@AD.company.COM\";");