[jira] [Comment Edited] (RANGER-2810) Kafka with Ranger plugin will fail

Mon, 29 Jun 2020 00:03:50 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17147519#comment-17147519
 ] 

rujia edited comment on RANGER-2810 at 6/29/20, 7:02 AM:
---------------------------------------------------------

this problem is caused by kafka run without core-site.xml, and then 
kafka-plugin add OS user to principal list of subject, when the server 
principal expired, the server pricipal will be remove from principal list and 
re-append(relogin), so the OS user will be the fiest one, and then will cause 
GSSAPI error then do connection


was (Author: rujia1019):
this problem is caused by kafka run witout core-site.xml, and then kakfa-plugin 
add OS user to principal list of subject, when the server principal expired, 
the server pricipal will be remove from principal list and re-append(relogin), 
so the OS user will be the fiest one, and then will cause GSSAPI error then do 
connection

> Kafka with Ranger plugin will fail
> ----------------------------------
>
>                 Key: RANGER-2810
>                 URL: https://issues.apache.org/jira/browse/RANGER-2810
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: master, 2.0.0, 2.1.0
>         Environment: CentOS Linux release 7.6.1810 (Core)
> Ranger 2.0.0
>            Reporter: bright.zhou
>            Assignee: Pradeep Agrawal
>            Priority: Blocker
>         Attachments: image-2020-06-15-14-46-53-528.png
>
>
> We use Ranger plugin to admin acls of Kafka cluster. At first , everything is 
> ok, but after 10h+ of kafka start, there is something wrong occured, we can 
> see error log in kafka-root.log, the error log is `Authentication failed 
> during authentication due to xxx with SASL mechanism GSSAPI: GSS context targ 
> name protocol error: xxxxx `。To solve this we had to restart Kafka, It's so 
> strange that if i change `authorizer.class.name` to 
> `kafka.security.auth.SimpleAclAuthorizer` it will be ok . In theory, ranger 
> is related with acls and not related with SASL authentication,so i want to 
> ask for help.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to