Transiently kerberos authentication failure with Kafka client application












0















I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



This is my jaas configuration file



KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};


here are the java properties I am passing:



-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI


And this is the exception I am getting:



Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


Can somebody please help here.










share|improve this question



























    0















    I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



    This is my jaas configuration file



    KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true;
    };


    here are the java properties I am passing:



    -Djavax.security.auth.useSubjectCredsOnly=false
    -Dsecurity.protocol=SASL_PLAINTEXT
    -Dsasl.kerberos.service.name=HTTP
    -Dsasl.mechanism=GSSAPI


    And this is the exception I am getting:



    Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
    at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
    at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
    at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
    ... 33 more
    Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
    at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


    Can somebody please help here.










    share|improve this question

























      0












      0








      0








      I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



      This is my jaas configuration file



      KafkaClient {
      com.sun.security.auth.module.Krb5LoginModule required
      useTicketCache=true;
      };


      here are the java properties I am passing:



      -Djavax.security.auth.useSubjectCredsOnly=false
      -Dsecurity.protocol=SASL_PLAINTEXT
      -Dsasl.kerberos.service.name=HTTP
      -Dsasl.mechanism=GSSAPI


      And this is the exception I am getting:



      Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
      at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
      at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
      at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
      at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
      ... 33 more
      Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
      at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


      Can somebody please help here.










      share|improve this question














      I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



      This is my jaas configuration file



      KafkaClient {
      com.sun.security.auth.module.Krb5LoginModule required
      useTicketCache=true;
      };


      here are the java properties I am passing:



      -Djavax.security.auth.useSubjectCredsOnly=false
      -Dsecurity.protocol=SASL_PLAINTEXT
      -Dsasl.kerberos.service.name=HTTP
      -Dsasl.mechanism=GSSAPI


      And this is the exception I am getting:



      Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
      at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
      at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
      at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
      at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
      ... 33 more
      Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
      at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


      Can somebody please help here.







      authentication apache-kafka kerberos jaas






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 '18 at 10:29









      learnerlearner

      80721436




      80721436
























          2 Answers
          2






          active

          oldest

          votes


















          0














          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer
























          • I am using TicketCache instead of specifying ketab and principal explictly.

            – learner
            Nov 20 '18 at 23:20











          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?

            – T-Heron
            Nov 21 '18 at 2:56











          • @learner, then it seems your cache has no valid ticket

            – Gery
            Nov 21 '18 at 8:37











          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.

            – learner
            Nov 21 '18 at 9:32











          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?

            – Gery
            Nov 21 '18 at 18:50



















          0














          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer


























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?

            – learner
            Nov 22 '18 at 0:08











          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.

            – Asteroid
            Nov 23 '18 at 9:16











          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)

            – learner
            Nov 23 '18 at 9:59











          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)

            – Asteroid
            Nov 24 '18 at 3:08











          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf

            – Asteroid
            Nov 29 '18 at 15:13













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer
























          • I am using TicketCache instead of specifying ketab and principal explictly.

            – learner
            Nov 20 '18 at 23:20











          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?

            – T-Heron
            Nov 21 '18 at 2:56











          • @learner, then it seems your cache has no valid ticket

            – Gery
            Nov 21 '18 at 8:37











          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.

            – learner
            Nov 21 '18 at 9:32











          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?

            – Gery
            Nov 21 '18 at 18:50
















          0














          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer
























          • I am using TicketCache instead of specifying ketab and principal explictly.

            – learner
            Nov 20 '18 at 23:20











          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?

            – T-Heron
            Nov 21 '18 at 2:56











          • @learner, then it seems your cache has no valid ticket

            – Gery
            Nov 21 '18 at 8:37











          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.

            – learner
            Nov 21 '18 at 9:32











          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?

            – Gery
            Nov 21 '18 at 18:50














          0












          0








          0







          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer













          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 20 '18 at 16:29









          GeryGery

          31116




          31116













          • I am using TicketCache instead of specifying ketab and principal explictly.

            – learner
            Nov 20 '18 at 23:20











          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?

            – T-Heron
            Nov 21 '18 at 2:56











          • @learner, then it seems your cache has no valid ticket

            – Gery
            Nov 21 '18 at 8:37











          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.

            – learner
            Nov 21 '18 at 9:32











          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?

            – Gery
            Nov 21 '18 at 18:50



















          • I am using TicketCache instead of specifying ketab and principal explictly.

            – learner
            Nov 20 '18 at 23:20











          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?

            – T-Heron
            Nov 21 '18 at 2:56











          • @learner, then it seems your cache has no valid ticket

            – Gery
            Nov 21 '18 at 8:37











          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.

            – learner
            Nov 21 '18 at 9:32











          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?

            – Gery
            Nov 21 '18 at 18:50

















          I am using TicketCache instead of specifying ketab and principal explictly.

          – learner
          Nov 20 '18 at 23:20





          I am using TicketCache instead of specifying ketab and principal explictly.

          – learner
          Nov 20 '18 at 23:20













          Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?

          – T-Heron
          Nov 21 '18 at 2:56





          Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?

          – T-Heron
          Nov 21 '18 at 2:56













          @learner, then it seems your cache has no valid ticket

          – Gery
          Nov 21 '18 at 8:37





          @learner, then it seems your cache has no valid ticket

          – Gery
          Nov 21 '18 at 8:37













          It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.

          – learner
          Nov 21 '18 at 9:32





          It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.

          – learner
          Nov 21 '18 at 9:32













          Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?

          – Gery
          Nov 21 '18 at 18:50





          Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?

          – Gery
          Nov 21 '18 at 18:50













          0














          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer


























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?

            – learner
            Nov 22 '18 at 0:08











          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.

            – Asteroid
            Nov 23 '18 at 9:16











          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)

            – learner
            Nov 23 '18 at 9:59











          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)

            – Asteroid
            Nov 24 '18 at 3:08











          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf

            – Asteroid
            Nov 29 '18 at 15:13


















          0














          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer


























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?

            – learner
            Nov 22 '18 at 0:08











          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.

            – Asteroid
            Nov 23 '18 at 9:16











          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)

            – learner
            Nov 23 '18 at 9:59











          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)

            – Asteroid
            Nov 24 '18 at 3:08











          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf

            – Asteroid
            Nov 29 '18 at 15:13
















          0












          0








          0







          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer















          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 24 '18 at 3:05

























          answered Nov 21 '18 at 13:51









          AsteroidAsteroid

          414




          414













          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?

            – learner
            Nov 22 '18 at 0:08











          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.

            – Asteroid
            Nov 23 '18 at 9:16











          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)

            – learner
            Nov 23 '18 at 9:59











          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)

            – Asteroid
            Nov 24 '18 at 3:08











          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf

            – Asteroid
            Nov 29 '18 at 15:13





















          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?

            – learner
            Nov 22 '18 at 0:08











          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.

            – Asteroid
            Nov 23 '18 at 9:16











          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)

            – learner
            Nov 23 '18 at 9:59











          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)

            – Asteroid
            Nov 24 '18 at 3:08











          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf

            – Asteroid
            Nov 29 '18 at 15:13



















          Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?

          – learner
          Nov 22 '18 at 0:08





          Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?

          – learner
          Nov 22 '18 at 0:08













          sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.

          – Asteroid
          Nov 23 '18 at 9:16





          sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.

          – Asteroid
          Nov 23 '18 at 9:16













          Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)

          – learner
          Nov 23 '18 at 9:59





          Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)

          – learner
          Nov 23 '18 at 9:59













          I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)

          – Asteroid
          Nov 24 '18 at 3:08





          I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)

          – Asteroid
          Nov 24 '18 at 3:08













          You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf

          – Asteroid
          Nov 29 '18 at 15:13







          You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf

          – Asteroid
          Nov 29 '18 at 15:13




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to change which sound is reproduced for terminal bell?

          Can I use Tabulator js library in my java Spring + Thymeleaf project?

          Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents