[英]Kafka SaslAuthenticationException Occuring on Ad-hoc basis for SASL_SSL Protocol
我正在运行一些java 8 Kafka应用程序,其中一些是Kafka流,其他是普通的生产者/消费者。
对于它们中的每一个,都没有功能问题,它们在大多数情况下运行良好。
但是,对于他们中的每一个,我都会遇到SaslAuthenticationException的特殊情况。 由于它们每两周左右发生一次,我不确定如何复制/推断根本原因:
错误:
Failed to create channel due to
org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
Caused by: org.apache.kafka.common.KafkaException: Principal could not be determined from Subject, this may be a transient failure due to Kerberos re-login
堆栈跟踪:
Failed to create channel due to
org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
Caused by: org.apache.kafka.common.KafkaException: Principal could not be determined from Subject, this may be a transient failure due to Kerberos re-login
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.firstPrincipal(SaslClientAuthenticator.java:441) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.<init>(SaslClientAuthenticator.java:135) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.SaslChannelBuilder.buildClientAuthenticator(SaslChannelBuilder.java:244) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:194) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:289) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.Selector.registerChannel(Selector.java:280) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.Selector.connect(Selector.java:215) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient.initiateConnect(NetworkClient.java:864) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient.access$700(NetworkClient.java:64) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1035) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:920) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:508) [kafka-clients-2.0.1.jar!/:na]
这就是我向Kafka提供JAAS Kerberos身份验证的方法(在我的配置文件中,我提供了诸如kdc,realm,keytab,principal之类的信息):
@Value("${kafka.sasl.kerberos.kdc}")
private String kdc;
@Value("${kafka.sasl.kerberos.realm}")
private String realm;
@Value("${kafka.sasl.kerberos.keytab}")
private Resource keytab;
@Value("${kafka.sasl.kerberos.principal}")
private String principal;
@Bean
public InMemoryConfiguration kafkaOpts() throws IOException {
System.setProperty("java.security.krb5.kdc", kdc);
System.setProperty("java.security.krb5.realm", realm);
Map<String, Object> options = new HashMap<>();
options.put("keyTab", copyResourceToTempFile(keytab, ".keytab").toString());
options.put("principal", principal);
options.put("useKeyTab","true");
options.put("storeKey","true");
AppConfigurationEntry kafkaClientConfig = new AppConfigurationEntry(
"com.sun.security.auth.module.Krb5LoginModule", LoginModuleControlFlag.REQUIRED, options);
Map<String, AppConfigurationEntry[]> jaasConfigEntries = new HashMap<>();
jaasConfigEntries.put("KafkaClient", new AppConfigurationEntry[] {kafkaClientConfig});
InMemoryConfiguration jaasConfig = new InMemoryConfiguration(jaasConfigEntries);
javax.security.auth.login.Configuration.setConfiguration(jaasConfig);
return jaasConfig;
}
public static Path copyResourceToTempFile(Resource resource, String extension) {
try (InputStream in = resource.getInputStream()) {
Path tempFile = Files.createTempFile("spring-boot-", extension);
Files.copy(in, tempFile, StandardCopyOption.REPLACE_EXISTING);
return tempFile;
} catch (IOException e) {
log.error("Error creating resource to file",e);
return null;
}
}
我们也面临同样的问题。 在与kafka连接后,突然我们松开连接和应用程序重试登录但它失败了。 但我们使用以下配置更新jaas auth配置文件:
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
这对我来说非常有用。
如何在Java中使用sasl机制PLAIN和安全协议SASL_SSL配置kafka使用者?
[英]How to configure kafka consumer with sasl mechanism PLAIN and with security protocol SASL_SSL in java?
使用 SASL_SSL / PLAIN 连接时出现 Kafka AdminClient 错误
[英]Kafka AdminClient error when connecting using SASL_SSL / PLAIN
如何使用 SASL_SSL 连接 Apache Kafka 设置 Spring Cloud Kafka 项目?
[英]How can I setup Spring Cloud Kafka project with SASL_SSL connect Apache Kafka?
SASL_SSL 安全协议如何工作? 客户端是否验证服务器(X.509 证书)?
[英]How does SASL_SSL security protocol work? Does client verify the server (X.509 cert)?
Java 堆空间 - 超出 memory 错误 - 带有 SASL_SSL 的 Kafka 代理
[英]Java heap space - Out of memory error - Kafka Broker with SASL_SSL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.