[
https://issues.apache.org/jira/browse/RANGER-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17135500#comment-17135500
]
F5 commented on RANGER-2810:
----------------------------
Same problem.
I deploy zookeeper kafka ranger on k8s, without hadoop.
{{This bug produced after the first time kerberos ticket expired.}}
h2. Versions info:
ranger 2.0.0
cloudera kafka-2.1.0-kafka4.0.0
zookeeper 3.14.13
h2. Error log (with desensitized):
{code:java}
[2020-06-11 03:25:31,476] DEBUG Set SASL server state to FAILED
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2020-06-11 03:25:31,476] DEBUG [SocketServer brokerId=0] Connection with
/10.11.12.13 disconnected due to authentication exception
(org.apache.kafka.common.network.Selector)
org.apache.kafka.common.network.DelayedResponseAuthenticationException:
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication
failed due to invalid credentials with SASL mechanism GSSAPI
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException:
Authentication failed due to invalid credentials with SASL mechanism GSSAPI
Caused by: javax.security.sasl.SaslException: GSS context targ name protocol
error: kafka-cloud/kafka-cloud.xxx....@xxx.com
at
jdk.security.jgss/com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:188)
at
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:375)
at
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:256)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:132)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532)
at org.apache.kafka.common.network.Selector.poll(Selector.java:467)
at kafka.network.Processor.poll(SocketServer.scala:689)
at kafka.network.Processor.run(SocketServer.scala:594)
at java.base/java.lang.Thread.run(Thread.java:835)
{code}
{code:java}
[2020-06-01 02:32:19,613] DEBUG Set SASL client state to INTERMEDIATE
(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
[2020-06-01 02:32:19,615] DEBUG Set SASL client state to FAILED
(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
[2020-06-01 02:32:19,615] DEBUG [ReplicaFetcher replicaId=0, leaderId=1,
fetcherId=0] Connection with kafka-cloud.xxx.com/10.11.12.13 disconnected due
to authentication exception (org.apache.kafka.common.network.Selector)
org.apache.kafka.common.network.DelayedResponseAuthenticationException:
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication
failed due to invalid credentials with SASL mechanism GSSAPI
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException:
Authentication failed due to invalid credentials with SASL mechanism GSSAPI
[2020-06-01 02:32:19,615] DEBUG [ReplicaFetcher replicaId=0, leaderId=1,
fetcherId=0] Node 1 disconnected. (org.apache.kafka.clients.NetworkClient)
[2020-06-01 02:32:19,615] DEBUG An authentication error occurred in
broker-to-broker communication. (org.apache.kafka.clients.ManualMetadataUpdater)
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication
failed due to invalid credentials with SASL mechanism GSSAPI
[2020-06-01 02:32:19,615] ERROR [ReplicaFetcher replicaId=0, leaderId=1,
fetcherId=0] Connection to node 1 (kafka-cloud.xxx.com/10.11.12.13:32121)
failed authentication due to: Authentication failed due to invalid credentials
with SASL mechanism GSSAPI (org.apache.kafka.clients.NetworkClient)
[2020-06-01 02:32:19,615] INFO [ReplicaFetcher replicaId=0, leaderId=1,
fetcherId=0] Error sending fetch request (sessionId=INVALID, epoch=INITIAL) to
node 1: org.apache.kafka.common.errors.SaslAuthenticationException:
Authentication failed due to invalid credentials with SASL mechanism GSSAPI.
(org.apache.kafka.clients.FetchSessionHandler)
{code}
h2. Temporary solution
First, the user in kafka Dockerfile is [app].
I find this log:
{code:java}
[2020-06-15 02:26:09,704] DEBUG Creating SaslServer for app with mechanism
GSSAPI
(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator){code}
My kafka principal is kafka-cloud/kafka-cloud.xxx....@xxx.com.
*Solved by set* *kafka* *Dockerfile user same as principal name [kafka-cloud].*
h2. Analysis
I think it's still a bug of ranger-kafka-plugin, It can't reproduced when
disable plugin.
Lookup kafka soource code:
/kafka/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java
The ranger plugin seems to modify the firstPrincipal in subject caused the
bug.
!image-2020-06-15-14-46-53-528.png!
> Kafka with Ranger plugin will fail
> ----------------------------------
>
> Key: RANGER-2810
> URL: https://issues.apache.org/jira/browse/RANGER-2810
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: master, 2.0.0, 2.1.0
> Environment: CentOS Linux release 7.6.1810 (Core)
> Ranger 2.0.0
> Reporter: bright.zhou
> Assignee: Pradeep Agrawal
> Priority: Blocker
> Attachments: image-2020-06-15-14-46-53-528.png
>
>
> We use Ranger plugin to admin acls of Kafka cluster. At first , everything is
> ok, but after 10h+ of kafka start, there is something wrong occured, we can
> see error log in kafka-root.log, the error log is `Authentication failed
> during authentication due to xxx with SASL mechanism GSSAPI: GSS context targ
> name protocol error: xxxxx `。To solve this we had to restart Kafka, It's so
> strange that if i change `authorizer.class.name` to
> `kafka.security.auth.SimpleAclAuthorizer` it will be ok . In theory, ranger
> is related with acls and not related with SASL authentication,so i want to
> ask for help.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
