[
https://issues.apache.org/jira/browse/KAFKA-4411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manikumar resolved KAFKA-4411.
------------------------------
Resolution: Not A Problem
It is necessary to have the same principal name across all brokers for ZK
Authentication.
> broker don't have access to kafka zookeeper nodes
> -------------------------------------------------
>
> Key: KAFKA-4411
> URL: https://issues.apache.org/jira/browse/KAFKA-4411
> Project: Kafka
> Issue Type: Bug
> Components: admin, config
> Affects Versions: 0.9.0.1
> Environment: Red Hat Enterprise Linux Server release 7.0
> Java 1.8.0_66-b17
> Kafka 0.9.0.1
> Reporter: Mohammed amine GARMES
> Priority: Critical
> Labels: security
> Original Estimate: 12h
> Remaining Estimate: 12h
>
> I have 2 kafka servers configured to start with kafka security, I try to
> start the akfka servers with the JASS below ==>
> server 1
> KafkaServer {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafka.keytab"
> principal="kafka/[email protected]";
> };
> // ZooKeeper client authentication
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafka.keytab"
> principal="kafka/[email protected]";
> };
> server 2 :
> KafkaServer {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafka.keytab"
> principal="kafka/[email protected]";
> };
> // ZooKeeper client authentication
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafka.keytab"
> principal="kafka/[email protected]";
> };
> the problem:
> when I start the kafka server 1 all is fine, but when I try to start the
> second server I have an issue because it haven't the access to the zookeeper
> node (/brokers) for kafka. the all zookeeper path /brokers is blocked by the
> first server, so the second server haven't the right access to write in this
> path .
> The ACL of /brokers is the fqdn of the first server, normally should be open
> for all and close ACL of the path /broker/ids/1, in this case the second
> server can write in /brokers and close the /brokers/ids/2 for him.
> I founded a solution but I am not sure that the right solution, I create a
> new kakfa-kerberos user, so for all server I use the same user :
> Server1
> KafkaServer {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafka.keytab"
> principal="kafka/[email protected]";
> };
> // ZooKeeper client authentication
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafkaZk.keytab"
> principal="kafka/[email protected]";
> };
> ________________________________________
> Server2
> KafkaServer {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafka.keytab"
> principal="kafka/[email protected]";
> };
> // ZooKeeper client authentication
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> storeKey=true
> keyTab="/opt/kafka/config/kafkaZk.keytab"
> principal="kafka/[email protected]";
> };
> Can help me or clarify to me how I can use Kafka security correctly ?!!
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
