[英]Kafka SaslAuthenticationException Occuring on Ad-hoc basis for SASL_SSL Protocol
我正在運行一些java 8 Kafka應用程序,其中一些是Kafka流,其他是普通的生產者/消費者。
對於它們中的每一個,都沒有功能問題,它們在大多數情況下運行良好。
但是,對於他們中的每一個,我都會遇到SaslAuthenticationException的特殊情況。 由於它們每兩周左右發生一次,我不確定如何復制/推斷根本原因:
錯誤:
Failed to create channel due to
org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
Caused by: org.apache.kafka.common.KafkaException: Principal could not be determined from Subject, this may be a transient failure due to Kerberos re-login
堆棧跟蹤:
Failed to create channel due to
org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
Caused by: org.apache.kafka.common.KafkaException: Principal could not be determined from Subject, this may be a transient failure due to Kerberos re-login
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.firstPrincipal(SaslClientAuthenticator.java:441) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.<init>(SaslClientAuthenticator.java:135) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.SaslChannelBuilder.buildClientAuthenticator(SaslChannelBuilder.java:244) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:194) ~[kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:289) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.Selector.registerChannel(Selector.java:280) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.common.network.Selector.connect(Selector.java:215) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient.initiateConnect(NetworkClient.java:864) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient.access$700(NetworkClient.java:64) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1035) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:920) [kafka-clients-2.0.1.jar!/:na]
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:508) [kafka-clients-2.0.1.jar!/:na]
這就是我向Kafka提供JAAS Kerberos身份驗證的方法(在我的配置文件中,我提供了諸如kdc,realm,keytab,principal之類的信息):
@Value("${kafka.sasl.kerberos.kdc}")
private String kdc;
@Value("${kafka.sasl.kerberos.realm}")
private String realm;
@Value("${kafka.sasl.kerberos.keytab}")
private Resource keytab;
@Value("${kafka.sasl.kerberos.principal}")
private String principal;
@Bean
public InMemoryConfiguration kafkaOpts() throws IOException {
System.setProperty("java.security.krb5.kdc", kdc);
System.setProperty("java.security.krb5.realm", realm);
Map<String, Object> options = new HashMap<>();
options.put("keyTab", copyResourceToTempFile(keytab, ".keytab").toString());
options.put("principal", principal);
options.put("useKeyTab","true");
options.put("storeKey","true");
AppConfigurationEntry kafkaClientConfig = new AppConfigurationEntry(
"com.sun.security.auth.module.Krb5LoginModule", LoginModuleControlFlag.REQUIRED, options);
Map<String, AppConfigurationEntry[]> jaasConfigEntries = new HashMap<>();
jaasConfigEntries.put("KafkaClient", new AppConfigurationEntry[] {kafkaClientConfig});
InMemoryConfiguration jaasConfig = new InMemoryConfiguration(jaasConfigEntries);
javax.security.auth.login.Configuration.setConfiguration(jaasConfig);
return jaasConfig;
}
public static Path copyResourceToTempFile(Resource resource, String extension) {
try (InputStream in = resource.getInputStream()) {
Path tempFile = Files.createTempFile("spring-boot-", extension);
Files.copy(in, tempFile, StandardCopyOption.REPLACE_EXISTING);
return tempFile;
} catch (IOException e) {
log.error("Error creating resource to file",e);
return null;
}
}
我們也面臨同樣的問題。 在與kafka連接后,突然我們松開連接和應用程序重試登錄但它失敗了。 但我們使用以下配置更新jaas auth配置文件:
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
這對我來說非常有用。
如何在Java中使用sasl機制PLAIN和安全協議SASL_SSL配置kafka使用者?
[英]How to configure kafka consumer with sasl mechanism PLAIN and with security protocol SASL_SSL in java?
使用 SASL_SSL / PLAIN 連接時出現 Kafka AdminClient 錯誤
[英]Kafka AdminClient error when connecting using SASL_SSL / PLAIN
如何使用 SASL_SSL 連接 Apache Kafka 設置 Spring Cloud Kafka 項目?
[英]How can I setup Spring Cloud Kafka project with SASL_SSL connect Apache Kafka?
SASL_SSL 安全協議如何工作? 客戶端是否驗證服務器(X.509 證書)?
[英]How does SASL_SSL security protocol work? Does client verify the server (X.509 cert)?
Java 堆空間 - 超出 memory 錯誤 - 帶有 SASL_SSL 的 Kafka 代理
[英]Java heap space - Out of memory error - Kafka Broker with SASL_SSL
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.