[
https://issues.apache.org/jira/browse/KAFKA-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639497#comment-16639497
]
Rajini Sivaram commented on KAFKA-7274:
---------------------------------------
[~xiaotao183] For PLAIN and SCRAM, username/password are credentials used for
establishing client connections. On the broker-side we need these options if we
are using the mechanism for inter-broker. SCRAM doesn't have any server-side
options, default PLAIN implementation has `user_xxx` options on the server-side
providing the full set of credentials.
To use SCRAM as inter-broker mechanism, the configs would be:
{code}
listeners=SASL_PLAINTEXT://:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
{code}
with the JAAS config:
{code}
sasl_plaintext.KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
user_admin="admin-secret"
user_alice="alice-secret";
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin1"
password="admin-secret";
};
{code}
> Incorrect subject credential used in inter-broker communication
> ---------------------------------------------------------------
>
> Key: KAFKA-7274
> URL: https://issues.apache.org/jira/browse/KAFKA-7274
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0
> Reporter: TAO XIAO
> Priority: Major
>
> We configured one broker setup to enable multiple SASL mechanisms using JAAS
> config file but we failed to start up the broker.
>
> Here is security section of server.properties
>
> {{listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN}}{{}}
>
> JAAS file
>
> {noformat}
> sasl_plaintext.KafkaServer {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> username="admin"
> password="admin-secret"
> user_admin="admin-secret"
> user_alice="alice-secret";
> org.apache.kafka.common.security.scram.ScramLoginModule required
> username="admin1"
> password="admin-secret";
> };{noformat}
>
> Exception we got
>
> {noformat}
> [2018-08-10 12:12:13,070] ERROR [Controller id=0, targetBrokerId=0]
> Connection to node 0 failed authentication due to: Authentication failed:
> Invalid username or password
> (org.apache.kafka.clients.NetworkClient){noformat}
>
> If we changed to use broker configuration property we can start broker
> successfully
>
> {noformat}
> listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN
> listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
> required username="admin" password="admin-secret" user_admin="admin-secret"
> user_alice="alice-secret";
> listener.name.sasl_plaintext.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
> required username="admin1" password="admin-secret";{noformat}
>
> I believe this issue is caused by Kafka assigning all login modules to each
> defined mechanism when using JAAS file which results in Login class to add
> both username defined in each login module to the same subject
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java#L101]
>
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L63]
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
