[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15975653#comment-15975653 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on the issue: https://github.com/apache/incubator-metron/pull/507 +1 Rockin! > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15975393#comment-15975393 ] ASF GitHub Bot commented on METRON-819: --- Github user mmiklavc commented on the issue: https://github.com/apache/incubator-metron/pull/507 @nickwallen Thanks for testing the Kerberos instructions out! > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15975392#comment-15975392 ] ASF GitHub Bot commented on METRON-819: --- Github user mmiklavc commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/507#discussion_r112297415 --- Diff: metron-deployment/vagrant/Kerberos-setup.md --- @@ -221,6 +221,10 @@ curl -XGET "${ZOOKEEPER}:9200/yaf*/_count" 25. You should have data flowing from the parsers all the way through to the indexes. This completes the Kerberization instructions +### Sensors + +For sensors that leverage the Kafka console producer to pipe data into Metron, e.g. Snort and Yaf, you will need to modify the corresponding sensor shell script to append the SASL security protocol property. `--security-protocol SASL_PLAINTEXT` + --- End diff -- Added the kinit > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15965945#comment-15965945 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on a diff in the pull request: https://github.com/apache/incubator-metron/pull/507#discussion_r64016 --- Diff: metron-deployment/vagrant/Kerberos-setup.md --- @@ -221,6 +221,10 @@ curl -XGET "${ZOOKEEPER}:9200/yaf*/_count" 25. You should have data flowing from the parsers all the way through to the indexes. This completes the Kerberization instructions +### Sensors + +For sensors that leverage the Kafka console producer to pipe data into Metron, e.g. Snort and Yaf, you will need to modify the corresponding sensor shell script to append the SASL security protocol property. `--security-protocol SASL_PLAINTEXT` + --- End diff -- Should we call out the need to `kinit` beforehand? > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15962899#comment-15962899 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on the issue: https://github.com/apache/incubator-metron/pull/507 FYI I was able to get this working. Mike's docs are 100% correct, there were just a few minor steps that tripped me up (like using relative paths instead of absolute paths.) I updated those just to help others avoid the same stupid user mistakes. > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961395#comment-15961395 ] ASF GitHub Bot commented on METRON-819: --- Github user mattf-horton commented on the issue: https://github.com/apache/incubator-metron/pull/507 > Is Ambari in the mix Urm, sorry. That was old behavior, they changed it so Ambari doesn't do that any more. It prevented too many useful config tweaks. Now, ambari-agent only resets config state to match the ambari database, at startup time and when configs in Ambari are changed. > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961385#comment-15961385 ] ASF GitHub Bot commented on METRON-819: --- Github user mattf-horton commented on the issue: https://github.com/apache/incubator-metron/pull/507 @nickwallen , this is a stab in the dark, but FWIT: Is Ambari in the mix, and is it an Ambari-managed parameter? If it's an Ambari-managed parameter, it will set back any changes you make while ambari-agent is running. > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961136#comment-15961136 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on the issue: https://github.com/apache/incubator-metron/pull/507 I think I am confusing steps (12) and (13) from your instructions or something. But something else weird is going on. I'm just not sure what. It seems like the ACLs were set and then at some point they got unset somehow. I'm going to start over and walk through it all again. Maybe I made a mistake. > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961128#comment-15961128 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on the issue: https://github.com/apache/incubator-metron/pull/507 > Anything going on in the kafka broker logs in /var/log/...? @cestella Nothing interesting that I can find in the logs, unfortunately. > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961124#comment-15961124 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on the issue: https://github.com/apache/incubator-metron/pull/507 The issues that I am having currently are with Quick Dev. But I have actually been able to do this on a separate cluster in a slightly different way. On the other cluster, I did not use the `--group` option when setting the ACL. If I did set the group, then I had to ensure that the group matched what was used by the `kafka-console-producer`. So as a test, I granted access without the `--group`. 1. Grant access. Look ma, no group. ``` [root@node1 ~]# kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=node1:2181 --add --allow-principal User:metron --topic yaf Adding ACLs for resource `Topic:yaf`: User:metron has Allow permission for operations: All from hosts: * Current ACLs for resource `Topic:yaf`: User:metron has Allow permission for operations: All from hosts: * ``` 2. Validate the ACL. Looks good this time. ``` [root@node1 ~]# kafka-acls.sh --list --topic yaf --authorizer-properties zookeeper.connect=node1:2181 --authorizer kafka.security.auth.SimpleAclAuthorizer Current ACLs for resource `Topic:yaf`: User:metron has Allow permission for operations: All from hosts: * ``` 3. And now I can send data successfully. ``` [root@node1 ~]# echo "foo" | kafka-console-producer.sh --broker-list node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT [2017-04-07 17:05:28,830] WARN The TGT cannot be renewed beyond the next expiry date: Sat Apr 08 16:11:26 UTC 2017.This process will not be able to authenticate new SASL connections after that time (for example, it will not be able to authenticate a new connection with a Kafka Broker). Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife null ' within kadmin, or instead, to generate a keytab for null. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread now. (org.apache.kafka.common.security.kerberos.KerberosLogin) ``` > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961119#comment-15961119 ] ASF GitHub Bot commented on METRON-819: --- Github user cestella commented on the issue: https://github.com/apache/incubator-metron/pull/507 @nickwallen Anything going on in the kafka broker logs in `/var/log/...`? > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961115#comment-15961115 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on the issue: https://github.com/apache/incubator-metron/pull/507 > @mmiklavc Can you try listing and applying acls with the root user instead of metron? Ok, sure. 1. As root, I can see the ACLs. But oddly there are none set. ``` [root@node1 ~]# kafka-acls.sh --list --topic yaf --authorizer-properties zookeeper.connect=node1:2181 Current ACLs for resource `Topic:yaf`: ``` 2. Then I set the ACLs again. So this looks pretty good. Now it looks like they were set. ``` [root@node1 ~]# kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=node1:2181 --add --allow-principal User:metron --group yaf_parser; Adding ACLs for resource `Group:yaf_parser`: User:metron has Allow permission for operations: All from hosts: * Current ACLs for resource `Group:yaf_parser`: User:metron has Allow permission for operations: All from hosts: * ``` 3. But then if I immediately check them again and they do not exist. Weird. ``` [root@node1 ~]# kafka-acls.sh --list --topic yaf --authorizer-properties zookeeper.connect=node1:2181 --authorizer kafka.security.auth.SimpleAclAuthorizer Current ACLs for resource `Topic:yaf`: ``` > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961082#comment-15961082 ] ASF GitHub Bot commented on METRON-819: --- Github user JonZeolla commented on the issue: https://github.com/apache/incubator-metron/pull/507 I got a very similar issue, which is why I've been holding off with #510 > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15961072#comment-15961072 ] ASF GitHub Bot commented on METRON-819: --- Github user nickwallen commented on the issue: https://github.com/apache/incubator-metron/pull/507 I went through your instructions and all seemed well with the world. But then I tried to use the `kafka-console-producer` to actually write data to Kafka and it fails Any ideas what the problem might be? ``` [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab met...@example.com [metron@node1 ~]$ echo "foo" | kafka-console-producer.sh --broker-list node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT [2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the next expiry date: Sat Apr 08 16:28:58 UTC 2017.This process will not be able to authenticate new SASL connections after that time (for example, it will not be able to authenticate a new connection with a Kafka Broker). Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife null ' within kadmin, or instead, to generate a keytab for null. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread now. (org.apache.kafka.common.security.kerberos.KerberosLogin) [2017-04-07 16:29:00,897] WARN Error while fetching metadata with correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2017-04-07 16:29:00,897] ERROR Error when sending message to topic yaf with key: null, value: 3 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [yaf] ``` I then tried to go back and check the Kafka ACLs and am now getting an error. I was able to set the ACLs, but now I cannot see them. ``` [metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab met...@example.com [metron@node1 ~]$ kafka-acls.sh --list --topic yaf --authorizer-properties zookeeper.connect=${ZOOKEEPER}:2181 [2017-04-07 16:24:47,794] WARN Could not login: the client is being asked for a password, but the Zookeeper client code does not currently support obtaining a password from the user. Make sure that the client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)' and restart the client. If you still get this message after that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first determine if you are using a password or a keytab. If the former, run kinit in a Unix shell in the environment of the user who is running this Zookeeper client using the command 'kinit ' (where is the name of the client's Kerberos principal). If the latter, do 'kinit -k -t ' (where is the name of the Kerberos principal, and is the location of the keytab file). After manually refreshing your cache, restart this client. If you continue to see this message after manually refreshing your cache, ensure that your KDC host's clock is in sync with this host's clock. (org.apache.zookeeper.client.ZooKeeperSaslClient) [2017-04-07 16:24:47,796] WARN SASL configuration failed: javax.security.auth.login.LoginException: No password provided Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn) Error while executing ACL command: Authentication failure org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946) ``` > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-819) Document kafka console producer parameter for sensors with kerberos
[ https://issues.apache.org/jira/browse/METRON-819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15953702#comment-15953702 ] ASF GitHub Bot commented on METRON-819: --- GitHub user mmiklavc opened a pull request: https://github.com/apache/incubator-metron/pull/507 METRON-819: Document kafka console producer parameter for sensors with kerberos Addresses https://issues.apache.org/jira/browse/METRON-819 Adds a note about adding the security protocol property to sensors leveraging the Kafka console producer. ## Pull Request Checklist Thank you for submitting a contribution to Apache Metron (Incubating). Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions. Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides. In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following: ### For all changes: - [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel). - [x] Does your PR title start with METRON- where is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically master)? ### For documentation related changes: - [X] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`: ``` cd site-book bin/generate-md.sh mvn site:site ``` Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. It is also recommened that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request. You can merge this pull request into a Git repository by running: $ git pull https://github.com/mmiklavc/incubator-metron METRON-819 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/incubator-metron/pull/507.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #507 commit fb911d942d795e03cb171ec2963e962490355512 Author: Michael MiklavcicDate: 2017-04-03T15:58:21Z METRON-819: Document kafka console producer parameter for sensors with kerberos > Document kafka console producer parameter for sensors with kerberos > --- > > Key: METRON-819 > URL: https://issues.apache.org/jira/browse/METRON-819 > Project: Metron > Issue Type: Improvement >Reporter: Michael Miklavcic >Assignee: Michael Miklavcic > > Snort and Yaf use the Kafka console producer. These sensors need an > additional parameter to work with Kerberos. -- This message was sent by Atlassian JIRA (v6.3.15#6346)