[ https://issues.apache.org/jira/browse/KAFKA-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16640008#comment-16640008 ]
TAO XIAO commented on KAFKA-7274: --------------------------------- [~rsivaram] Can I assume that static jaas config only works for multi sasl mechanisms if and only if username/password pair is only required by one of the mechanisms? If this is the valid case it is better to document this limitation to make thing clear > Incorrect subject credential used in inter-broker communication > --------------------------------------------------------------- > > Key: KAFKA-7274 > URL: https://issues.apache.org/jira/browse/KAFKA-7274 > Project: Kafka > Issue Type: Bug > Components: security > Affects Versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0 > Reporter: TAO XIAO > Priority: Major > > We configured one broker setup to enable multiple SASL mechanisms using JAAS > config file but we failed to start up the broker. > > Here is security section of server.properties > > {{listeners=SASL_PLAINTEXT://:9092 > security.inter.broker.protocol=SASL_PLAINTEXT > sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256 > sasl.mechanism.inter.broker.protocol=PLAIN}}{{}} > > JAAS file > > {noformat} > sasl_plaintext.KafkaServer { > org.apache.kafka.common.security.plain.PlainLoginModule required > username="admin" > password="admin-secret" > user_admin="admin-secret" > user_alice="alice-secret"; > org.apache.kafka.common.security.scram.ScramLoginModule required > username="admin1" > password="admin-secret"; > };{noformat} > > Exception we got > > {noformat} > [2018-08-10 12:12:13,070] ERROR [Controller id=0, targetBrokerId=0] > Connection to node 0 failed authentication due to: Authentication failed: > Invalid username or password > (org.apache.kafka.clients.NetworkClient){noformat} > > If we changed to use broker configuration property we can start broker > successfully > > {noformat} > listeners=SASL_PLAINTEXT://:9092 > security.inter.broker.protocol=SASL_PLAINTEXT > sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256 > sasl.mechanism.inter.broker.protocol=PLAIN > listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule > required username="admin" password="admin-secret" user_admin="admin-secret" > user_alice="alice-secret"; > listener.name.sasl_plaintext.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule > required username="admin1" password="admin-secret";{noformat} > > I believe this issue is caused by Kafka assigning all login modules to each > defined mechanism when using JAAS file which results in Login class to add > both username defined in each login module to the same subject > [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java#L101] > > [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L63] > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)