Kafka SASL_PLAINTEXT with GSSAPI for kerberos

Question

I am trying to run a single kafka server using SASL and GSSAPI with plaintext but getting below error.

[2018-10-03 16:08:54,220] ERROR [Controller id=0, targetBrokerId=0] Connection to node 0 failed authentication due to: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state. (org.apache.kafka.clients.NetworkClient)

in server.properties changes are:

listeners=SASL_PLAINTEXT://kafka.example.com:9095
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
advertised.listeners=SASL_PLAINTEXT://kafka.example.com:9095
sasl.enabled.mechanism=GSSAPI
sasl.kerberos.service.name=HTTP

Here is my jaas config:

KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=true
    storeKey=true
    keyTab="/home/kafka/kafka_server.keytab"
    principal="HTTP/kafka.example.com@UNIX.EXAMPLE.COM";
};

Any leads on how to resolve this?

Answer 1

First of all, Either use KeyTab (useKeyTab=true) or use TicketCache (useTicketCache=true). Do not use both at once. This may lead to conflicts.

If you have your own Kerb, create a principle for kafka

sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka/{hostname}@{REALM}' sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka/{hostname}@{REALM}"

use

sasl.kerberos.service.name="kafka"

Set JVM parameters

export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"

Hope this would help.