Transiently kerberos authentication failure with Kafka client application
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
asked Nov 20 '18 at 10:29
learnerlearner
80721436
add a comment |
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
asked Nov 20 '18 at 10:29
learnerlearner
80721436
add a comment |
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
asked Nov 20 '18 at 10:29
learnerlearner
80721436
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
authentication apache-kafka kerberos jaas
asked Nov 20 '18 at 10:29
learnerlearner
80721436
asked Nov 20 '18 at 10:29
learnerlearner
80721436
asked Nov 20 '18 at 10:29
learnerlearner
80721436
asked Nov 20 '18 at 10:29
learnerlearner
80721436
asked Nov 20 '18 at 10:29
learnerlearner
80721436
80721436
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
answered Nov 20 '18 at 16:29
GeryGery
31116
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 '18 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 '18 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 '18 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 '18 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 '18 at 18:50
|
show 2 more comments
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 '18 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 '18 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 '18 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 '18 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 '18 at 15:13
|
show 1 more comment
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
answered Nov 20 '18 at 16:29
GeryGery
31116
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 '18 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 '18 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 '18 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 '18 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 '18 at 18:50
|
show 2 more comments
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
answered Nov 20 '18 at 16:29
GeryGery
31116
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 '18 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 '18 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 '18 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 '18 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 '18 at 18:50
|
show 2 more comments
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
answered Nov 20 '18 at 16:29
GeryGery
31116
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
answered Nov 20 '18 at 16:29
GeryGery
31116
answered Nov 20 '18 at 16:29
GeryGery
31116
answered Nov 20 '18 at 16:29
GeryGery
31116
answered Nov 20 '18 at 16:29
GeryGery
31116
31116
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 '18 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 '18 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 '18 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 '18 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 '18 at 18:50
|
show 2 more comments
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 '18 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 '18 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 '18 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 '18 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 '18 at 18:50
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 '18 at 23:20
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 '18 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 '18 at 2:56
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 '18 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 '18 at 8:37
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 '18 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 '18 at 9:32
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 '18 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 '18 at 18:50
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 '18 at 18:50
|
show 2 more comments
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 '18 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 '18 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 '18 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 '18 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 '18 at 15:13
|
show 1 more comment
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 '18 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 '18 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 '18 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 '18 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 '18 at 15:13
|
show 1 more comment
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
edited Nov 24 '18 at 3:05
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
answered Nov 21 '18 at 13:51
AsteroidAsteroid
414
414
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 '18 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 '18 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 '18 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 '18 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 '18 at 15:13
|
show 1 more comment
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 '18 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 '18 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 '18 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 '18 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 '18 at 15:13
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 '18 at 0:08
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 '18 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 '18 at 9:16
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 '18 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 '18 at 9:59
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 '18 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 '18 at 3:08
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 '18 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 '18 at 15:13
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 '18 at 15:13
|
show 1 more comment
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
