I am trying to run a single kafka server using SASL and GSSAPI with plaintext but getting below error.
[2018-10-03 16:08:54,220] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 failed authentication due to: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state. (org.apache.kafka.clients.NetworkClient)
in server.properties changes are:
listeners=SASL_PLAINTEXT://kafka.example.com:9095
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
advertised.listeners=SASL_PLAINTEXT://kafka.example.com:9095
sasl.enabled.mechanism=GSSAPI
sasl.kerberos.service.name=HTTP
Here is my jaas config:
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=true
storeKey=true
keyTab="/home/kafka/kafka_server.keytab"
principal="HTTP/kafka.example.com@UNIX.EXAMPLE.COM";
};
Any leads on how to resolve this?
First of all, Either use KeyTab (useKeyTab=true) or use TicketCache (useTicketCache=true). Do not use both at once. This may lead to conflicts.
If you have your own Kerb, create a principle for kafka
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka/{hostname}@{REALM}' sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka/{hostname}@{REALM}"
use
sasl.kerberos.service.name="kafka"
Set JVM parameters
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
Hope this would help.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.