[
https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15961072#comment-15961072
]
ASF GitHub Bot commented on METRON-819:
---------------------------------------
Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/507
I went through your instructions and all seemed well with the world. But
then I tried to use the `kafka-console-producer` to actually write data to
Kafka and it fails Any ideas what the problem might be?
```
[metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
[email protected]
[metron@node1 ~]$ echo "foo" | kafka-console-producer.sh --broker-list
node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT
[2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the next
expiry date: Sat Apr 08 16:28:58 UTC 2017.This process will not be able to
authenticate new SASL connections after that time (for example, it will not be
able to authenticate a new connection with a Kafka Broker). Ask your system
administrator to either increase the 'renew until' time by doing : 'modprinc
-maxrenewlife null ' within kadmin, or instead, to generate a keytab for null.
Because the TGT's expiry cannot be further extended by refreshing, exiting
refresh thread now. (org.apache.kafka.common.security.kerberos.KerberosLogin)
[2017-04-07 16:29:00,897] WARN Error while fetching metadata with
correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2017-04-07 16:29:00,897] ERROR Error when sending message to topic yaf
with key: null, value: 3 bytes with error:
(org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized
to access topics: [yaf]
```
I then tried to go back and check the Kafka ACLs and am now getting an
error. I was able to set the ACLs, but now I cannot see them.
```
[metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
[email protected]
[metron@node1 ~]$ kafka-acls.sh --list --topic yaf --authorizer-properties
zookeeper.connect=${ZOOKEEPER}:2181
[2017-04-07 16:24:47,794] WARN Could not login: the client is being asked
for a password, but the Zookeeper client code does not currently support
obtaining a password from the user. Make sure that the client is configured to
use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)'
and restart the client. If you still get this message after that, the TGT in
the ticket cache has expired and must be manually refreshed. To do so, first
determine if you are using a password or a keytab. If the former, run kinit in
a Unix shell in the environment of the user who is running this Zookeeper
client using the command 'kinit <princ>' (where <princ> is the name of the
client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>'
(where <princ> is the name of the Kerberos principal, and <keytab> is the
location of the keytab file). After manually refreshing your cache, restart
this client. If you continue to see this message after manually refreshing your
cache, ensure that your KDC host's clock is in sync with this host's clock.
(org.apache.zookeeper.client.ZooKeeperSaslClient)
[2017-04-07 16:24:47,796] WARN SASL configuration failed:
javax.security.auth.login.LoginException: No password provided Will continue
connection to Zookeeper server without SASL authentication, if Zookeeper server
allows it. (org.apache.zookeeper.ClientCnxn)
Error while executing ACL command: Authentication failure
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946)
```
> Document kafka console producer parameter for sensors with kerberos
> -------------------------------------------------------------------
>
> Key: METRON-819
> URL: https://issues.apache.org/jira/browse/METRON-819
> Project: Metron
> Issue Type: Improvement
> Reporter: Michael Miklavcic
> Assignee: Michael Miklavcic
>
> Snort and Yaf use the Kafka console producer. These sensors need an
> additional parameter to work with Kerberos.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
