Can you try listing and applying acls with the root user instead of metron?
On Fri, Apr 7, 2017 at 10:29 AM, nickwallen <g...@git.apache.org> wrote: > Github user nickwallen commented on the issue: > > https://github.com/apache/incubator-metron/pull/507 > > I went through your instructions and all seemed well with the world. > But then I tried to use the `kafka-console-producer` to actually write data > to Kafka and it fails Any ideas what the problem might be? > > ``` > [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab > met...@example.com > [metron@node1 ~]$ echo "foo" | kafka-console-producer.sh > --broker-list node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT > [2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the > next expiry date: Sat Apr 08 16:28:58 UTC 2017.This process will not be > able to authenticate new SASL connections after that time (for example, it > will not be able to authenticate a new connection with a Kafka Broker). > Ask your system administrator to either increase the 'renew until' time by > doing : 'modprinc -maxrenewlife null ' within kadmin, or instead, to > generate a keytab for null. Because the TGT's expiry cannot be further > extended by refreshing, exiting refresh thread now. > (org.apache.kafka.common.security.kerberos.KerberosLogin) > [2017-04-07 16:29:00,897] WARN Error while fetching metadata with > correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED} > (org.apache.kafka.clients.NetworkClient) > [2017-04-07 16:29:00,897] ERROR Error when sending message to topic > yaf with key: null, value: 3 bytes with error: (org.apache.kafka.clients. > producer.internals.ErrorLoggingCallback) > org.apache.kafka.common.errors.TopicAuthorizationException: Not > authorized to access topics: [yaf] > ``` > > I then tried to go back and check the Kafka ACLs and am now getting an > error. I was able to set the ACLs, but now I cannot see them. > > ``` > [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab > met...@example.com > [metron@node1 ~]$ kafka-acls.sh --list --topic yaf > --authorizer-properties zookeeper.connect=${ZOOKEEPER}:2181 > [2017-04-07 16:24:47,794] WARN Could not login: the client is being > asked for a password, but the Zookeeper client code does not currently > support obtaining a password from the user. Make sure that the client is > configured to use a ticket cache (using the JAAS configuration setting > 'useTicketCache=true)' and restart the client. If you still get this > message after that, the TGT in the ticket cache has expired and must be > manually refreshed. To do so, first determine if you are using a password > or a keytab. If the former, run kinit in a Unix shell in the environment of > the user who is running this Zookeeper client using the command 'kinit > <princ>' (where <princ> is the name of the client's Kerberos principal). If > the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of > the Kerberos principal, and <keytab> is the location of the keytab file). > After manually refreshing your cache, restart this client. If you continue > to see this message after manually refreshing yo > ur cache, ensure that your KDC host's clock is in sync with this host's > clock. (org.apache.zookeeper.client.ZooKeeperSaslClient) > [2017-04-07 16:24:47,796] WARN SASL configuration failed: > javax.security.auth.login.LoginException: No password provided Will > continue connection to Zookeeper server without SASL authentication, if > Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn) > Error while executing ACL command: Authentication failure > org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication > failure > at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient. > java:946) > > ``` > > > --- > If your project is set up for it, you can reply to this email and have your > reply appear on GitHub as well. If your project does not have this feature > enabled and wishes so, or if the feature is enabled but not working, please > contact infrastructure at infrastruct...@apache.org or file a JIRA ticket > with INFRA. > --- >
