[jira] [Resolved] (KAFKA-6198) kerberos login fails

[Ronald van de Kuil (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KAFKA-6198?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ronald van de Kuil resolved KAFKA-6198.
---------------------------------------
    Resolution: Fixed

> kerberos login fails
> --------------------
>
>                 Key: KAFKA-6198
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6198
>             Project: Kafka
>          Issue Type: Test
>          Components: clients
>    Affects Versions: 0.11.0.1
>         Environment: raspberrypi
>            Reporter: Ronald van de Kuil
>            Priority: Minor
>
> I got very far with setting up kerberos on the raspberry pi as part of self 
> study. 
> I believe that the kafka server is happy with kerberos:
> [2017-11-10 12:17:51,659] INFO Successfully authenticated client: 
> authenticationID=kafka/pi99.dev.ibm....@dev.ibm.com; 
> authorizationID=kafka/pi99.dev.ibm....@dev.ibm.com. 
> (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
> [2017-11-10 12:17:51,661] INFO Setting authorizedID: kafka 
> (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
> I have setup the kafka.security.auth.SimpleAclAuthorizer
> And granted the following access:
> Current ACLs for resource `Topic:kerberos-topic`: 
>       User:producer has Allow permission for operations: Describe from hosts: 
> *
>       User:producer has Allow permission for operations: Write from hosts: *
>       User:produ...@dev.ibm.com has Allow permission for operations: Describe 
> from hosts: *
>       User:produ...@dev.ibm.com has Allow permission for operations: Write 
> from hosts: * 
> When I start the client, then I see it getting the kerberos ticket:
> [main] INFO org.apache.kafka.common.security.authenticator.AbstractLogin - 
> Successfully logged in.
> [kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
> org.apache.kafka.common.security.kerberos.KerberosLogin - 
> [Principal=produ...@dev.ibm.com]: TGT refresh thread started.
> [kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
> org.apache.kafka.common.security.kerberos.KerberosLogin - 
> [Principal=produ...@dev.ibm.com]: TGT valid starting at: Fri Nov 10 12:50:11 
> CET 2017
> [kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
> org.apache.kafka.common.security.kerberos.KerberosLogin - 
> [Principal=produ...@dev.ibm.com]: TGT expires: Fri Nov 10 22:50:11 CET 2017
> [kafka-kerberos-refresh-thread-produ...@dev.ibm.com] INFO 
> org.apache.kafka.common.security.kerberos.KerberosLogin - 
> [Principal=produ...@dev.ibm.com]: TGT refresh sleeping until: Fri Nov 10 
> 21:13:37 CET 2017
> But the client fails to login:
> [kafka-producer-network-thread | producer-1] WARN 
> org.apache.kafka.clients.NetworkClient - Connection to node -1 terminated 
> during authentication. This may indicate that authentication failed due to 
> invalid credentials.
> I do not see any warnings in the logs, so I do not have much to go on.
> What can I do to get my finger behind this issue?
> Thank you,
> Ronald - the NOOB



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)