[jira] [Created] (KAFKA-6198) kerberos login fails

Ronald van de Kuil (JIRA) Fri, 10 Nov 2017 03:57:41 -0800

Ronald van de Kuil created KAFKA-6198:
-----------------------------------------


             Summary: kerberos login fails
                 Key: KAFKA-6198
                 URL: https://issues.apache.org/jira/browse/KAFKA-6198
             Project: Kafka
          Issue Type: Test
          Components: clients
    Affects Versions: 0.11.0.1
         Environment: raspberrypi
            Reporter: Ronald van de Kuil
            Priority: Minor


I got very far with setting up kerberos on the raspberry pi as part of self 
study. 

I believe that the kafka server is happy with kerberos:

[2017-11-10 12:17:51,659] INFO Successfully authenticated client: 
authenticationID=kafka/pi99.dev.ibm....@dev.ibm.com; 
authorizationID=kafka/pi99.dev.ibm....@dev.ibm.com. 
(org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2017-11-10 12:17:51,661] INFO Setting authorizedID: kafka 
(org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)

I have setup the kafka.security.auth.SimpleAclAuthorizer

And granted the following access:

Current ACLs for resource `Topic:kerberos-topic`: 
        User:producer has Allow permission for operations: Describe from hosts: 
*
        User:producer has Allow permission for operations: Write from hosts: *
        User:produ...@dev.ibm.com has Allow permission for operations: Describe 
from hosts: *
        User:produ...@dev.ibm.com has Allow permission for operations: Write 
from hosts: * 

When I start the client, then I see it getting the kerberos ticket:

[main] INFO org.apache.kafka.common.security.authenticator.AbstractLogin - 
Successfully logged in.
[kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
org.apache.kafka.common.security.kerberos.KerberosLogin - 
[Principal=produ...@dev.ibm.com]: TGT refresh thread started.
[kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
org.apache.kafka.common.security.kerberos.KerberosLogin - 
[Principal=produ...@dev.ibm.com]: TGT valid starting at: Fri Nov 10 12:50:11 
CET 2017
[kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
org.apache.kafka.common.security.kerberos.KerberosLogin - 
[Principal=produ...@dev.ibm.com]: TGT expires: Fri Nov 10 22:50:11 CET 2017
[kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
org.apache.kafka.common.security.kerberos.KerberosLogin - 
[Principal=produ...@dev.ibm.com]: TGT refresh sleeping until: Fri Nov 10 
21:13:37 CET 2017

But the client fails to login:

[kafka-producer-network-thread | producer-1] WARN 
org.apache.kafka.clients.NetworkClient - Connection to node -1 terminated 
during authentication. This may indicate that authentication failed due to 
invalid credentials.

I do not see any warnings in the logs, so I do not have much to go on.

What can I do to get my finger behind this issue?

Thank you,

Ronald - the NOOB



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (KAFKA-6198) kerberos login fails

Reply via email to