堆栈内存溢出
  繁体   English   中英

启用Kerberos“ SASL身份验证失败”后无法启动Kafka

[英]Failed to start Kafka after enabling Kerberos “SASL authentication failed”

 原文  2019-02-23 14:29:10       apache-kafka/ apache-zookeeper/ kerberos/ sasl

问题描述

Kafka版本:kafka_2.1.1(二进制)

启用Kerberos时, 严格遵循官方文档( https://kafka.apache.org/documentation/#security_sasl_kerberos )。

启动Kafka时,出现以下错误: 

[2019-02-23 08:55:44,622] ERROR SASL authentication failed using login context 'Client' with exception: {} (org.apache.zookeeper.client.ZooKeeperSaslClient)
javax.security.sasl.SaslException: Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null.
    at org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:279)
    at org.apache.zookeeper.client.ZooKeeperSaslClient.respondToServer(ZooKeeperSaslClient.java:242)
    at org.apache.zookeeper.ClientCnxn$SendThread.readResponse(ClientCnxn.java:805)
    at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:94)
    at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:366)
    at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1145)
[2019-02-23 08:55:44,625] ERROR [ZooKeeperClient] Auth failed. (kafka.zookeeper.ZooKeeperClient)
[2019-02-23 08:55:44,746] ERROR Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)

我几乎使用默认的krb5.conf。 

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
  kdc = localhost
  admin_server = localhost
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

我传递给Kafka的jaas文件如下: 

KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/etc/security/keytabs/localhost.keytab"
    principal="kafka/localhost@EXAMPLE.COM";
};

// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/localhost.keytab"
principal="kafka/localhost@EXAMPLE.COM";
};

我还将ENV设置如下: 

"-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf -Dzookeeper.sasl.client.username=kafka"

我在Google上搜索了很多帖子,但没有任何进展。 我猜问题可能是在Kerberos中创建条目时使用的“ localhost”。 但是我不太确定如何解决。 我的目标是设置本地Kafka + Kerberos测试环境。

1 个解决方案

解决方案1
 0  2019-06-04 18:37:50

In our case, the krb5 kerberos_config file wasn't read properly. if you're using keytab thru' yml then it'd need to be removed first. This was with IBM JDK though and had to use the following to set System.setProperty("java.security.auth.login.config", JaasConfigFileLocation);

KafkaClient {
com.ibm.security.auth.module.Krb5LoginModule required
useDefaultKeytab=false
credsType=both
principal="xkafka@xxx.NET"
useKeytab="/opt/apps/xxxr/my.keytab";
};

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 kafka SASL/SCRAM 身份验证失败 启用Zookeeper验证后无法启动代理 KAFKA:连接到节点的身份验证失败,原因是:由于使用 SASL 机制 SCRAM-SHA-256 的凭据无效,身份验证失败 使用登录上下文“客户端”的SASL身份验证失败 为什么我收到 Kafka 错误无法初始化 SASL 身份验证:使用 Node.js 客户端进行消息中心服务时 SASL 握手失败? Kafka SASL 动物园管理员身份验证 Kafka Connect 启动失败 无法使用 SASL_PLAINTEXT 身份验证启动 Kafka 服务器 获取 'INFO [SocketServer brokerId=___] 使用 /server_ip 的身份验证失败(SASL 握手期间出现 METADATA 类型的意外 Kafka 请求)' Kafka SASL_PLAINTEXT和用于Gerberos的GSSAPI
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM