[jira] [Commented] (RANGER-2810) Kafka with Ranger plugin will fail

Sun, 17 May 2020 23:20:27 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17109924#comment-17109924
 ] 

Pradeep Agrawal commented on RANGER-2810:
-----------------------------------------

I am able to reproduce this issue in Ranger master branch code.

*Steps to reproduce quickly :* 

1) Change maxlife of a principal to 10 minute (default is 24hours)

2) Enable ranger plugin and restart kafka.

3) Wait for 10 minute and try to run producer/consumer commands.

4) Command will fail with below error:
{code:java}
ERROR [Producer clientId=console-producer] Connection to node -1 (host:port) 
failed authentication due to: Authentication failed during authentication due 
to invalid credentials with SASL mechanism GSSAPI 
(org.apache.kafka.clients.NetworkClient){code}
*Note:* Issue is reproducible only when  authorizer.class.name is set to 
"org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer". Its 
not reproducible when authorizer.class.name is set to 
"kafka.security.authorizer.AclAuthorizer"

> Kafka with Ranger plugin will fail
> ----------------------------------
>
>                 Key: RANGER-2810
>                 URL: https://issues.apache.org/jira/browse/RANGER-2810
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: master, 2.0.0, 2.1.0
>         Environment: CentOS Linux release 7.6.1810 (Core)
> Ranger 2.0.0
>            Reporter: bright.zhou
>            Assignee: Pradeep Agrawal
>            Priority: Blocker
>
> We use Ranger plugin to admin acls of Kafka cluster. At first , everything is 
> ok, but after 10h+ of kafka start, there is something wrong occured, we can 
> see error log in kafka-root.log, the error log is `Authentication failed 
> during authentication due to xxx with SASL mechanism GSSAPI: GSS context targ 
> name protocol error: xxxxx `。To solve this we had to restart Kafka, It's so 
> strange that if i change `authorizer.class.name` to 
> `kafka.security.auth.SimpleAclAuthorizer` it will be ok . In theory, ranger 
> is related with acls and not related with SASL authentication,so i want to 
> ask for help.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to