[jira] [Created] (KAFKA-4411) broker don't have access to kafka zookeeper nodes

Tue, 15 Nov 2016 07:37:10 -0800 

Mohammed amine GARMES created KAFKA-4411:
--------------------------------------------

             Summary: broker don't have access to kafka zookeeper nodes
                 Key: KAFKA-4411
                 URL: https://issues.apache.org/jira/browse/KAFKA-4411
             Project: Kafka
          Issue Type: Bug
          Components: admin, config
    Affects Versions: 0.9.0.1
         Environment: Red Hat Enterprise Linux Server release 7.0 
Java 1.8.0_66-b17 
Kafka 0.9.0.1
            Reporter: Mohammed amine GARMES
            Priority: Critical


I have 2 kafka servers configured to start with kafka security, I try to start 
the akfka servers with the JASS below ==>

server 1
 KafkaServer {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        storeKey=true
        keyTab="/opt/kafka/config/kafka.keytab"
        principal="kafka/kafka1.test....@test.net";
    };

    // ZooKeeper client authentication
    Client {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        storeKey=true
        keyTab="/opt/kafka/config/kafka.keytab"
        principal="kafka/kafka1.test....@test.net";
    };
server 2 :
KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafka.keytab"
    principal="kafka/kafka2.test....@test.net";
};

// ZooKeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafka.keytab"
    principal="kafka/kafka2.test....@test.net";
};

the problem:

when I start the kafka server 1 all is fine, but when I try to start the second 
server I have an issue because it haven't the access to the zookeeper node 
(/brokers) for kafka. the all zookeeper path /brokers is blocked by the first 
server, so the second server haven't the right access to write in this path .

The ACL of /brokers is the fqdn of the first server, normally  should be open 
for all and close ACL of the path /broker/ids/1, in this case the second server 
can write in /brokers and close the /brokers/ids/2 for him.

I founded a solution but I am not sure that the right solution, I create a new 
kakfa-kerberos user, so for all server I use the same user :

Server1
KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafka.keytab"
    principal="kafka/kafka1.test....@test.net";
};

// ZooKeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafkaZk.keytab"
    principal="kafka/kafkazk.test....@test.net";
};
________________________________________
Server2
KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafka.keytab"
    principal="kafka/kafka2.test....@test.net";
};

// ZooKeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafkaZk.keytab"
    principal="kafka/kafkazk.test....@test.net";
};


Can help me or clarify to me how I can use Kafka security correctly ?!!




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to