[ https://issues.apache.org/jira/browse/RANGER-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17135500#comment-17135500 ]
F5 commented on RANGER-2810: ---------------------------- Same problem. I deploy zookeeper kafka ranger on k8s, without hadoop. {{This bug produced after the first time kerberos ticket expired.}} h2. Versions info: ranger 2.0.0 cloudera kafka-2.1.0-kafka4.0.0 zookeeper 3.14.13 h2. Error log (with desensitized): {code:java} [2020-06-11 03:25:31,476] DEBUG Set SASL server state to FAILED (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator) [2020-06-11 03:25:31,476] DEBUG [SocketServer brokerId=0] Connection with /10.11.12.13 disconnected due to authentication exception (org.apache.kafka.common.network.Selector) org.apache.kafka.common.network.DelayedResponseAuthenticationException: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism GSSAPI Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism GSSAPI Caused by: javax.security.sasl.SaslException: GSS context targ name protocol error: kafka-cloud/kafka-cloud.xxx....@xxx.com at jdk.security.jgss/com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:188) at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:375) at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:256) at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:132) at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532) at org.apache.kafka.common.network.Selector.poll(Selector.java:467) at kafka.network.Processor.poll(SocketServer.scala:689) at kafka.network.Processor.run(SocketServer.scala:594) at java.base/java.lang.Thread.run(Thread.java:835) {code} {code:java} [2020-06-01 02:32:19,613] DEBUG Set SASL client state to INTERMEDIATE (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) [2020-06-01 02:32:19,615] DEBUG Set SASL client state to FAILED (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) [2020-06-01 02:32:19,615] DEBUG [ReplicaFetcher replicaId=0, leaderId=1, fetcherId=0] Connection with kafka-cloud.xxx.com/10.11.12.13 disconnected due to authentication exception (org.apache.kafka.common.network.Selector) org.apache.kafka.common.network.DelayedResponseAuthenticationException: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism GSSAPI Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism GSSAPI [2020-06-01 02:32:19,615] DEBUG [ReplicaFetcher replicaId=0, leaderId=1, fetcherId=0] Node 1 disconnected. (org.apache.kafka.clients.NetworkClient) [2020-06-01 02:32:19,615] DEBUG An authentication error occurred in broker-to-broker communication. (org.apache.kafka.clients.ManualMetadataUpdater) org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism GSSAPI [2020-06-01 02:32:19,615] ERROR [ReplicaFetcher replicaId=0, leaderId=1, fetcherId=0] Connection to node 1 (kafka-cloud.xxx.com/10.11.12.13:32121) failed authentication due to: Authentication failed due to invalid credentials with SASL mechanism GSSAPI (org.apache.kafka.clients.NetworkClient) [2020-06-01 02:32:19,615] INFO [ReplicaFetcher replicaId=0, leaderId=1, fetcherId=0] Error sending fetch request (sessionId=INVALID, epoch=INITIAL) to node 1: org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed due to invalid credentials with SASL mechanism GSSAPI. (org.apache.kafka.clients.FetchSessionHandler) {code} h2. Temporary solution First, the user in kafka Dockerfile is [app]. I find this log: {code:java} [2020-06-15 02:26:09,704] DEBUG Creating SaslServer for app with mechanism GSSAPI (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator){code} My kafka principal is kafka-cloud/kafka-cloud.xxx....@xxx.com. *Solved by set* *kafka* *Dockerfile user same as principal name [kafka-cloud].* h2. Analysis I think it's still a bug of ranger-kafka-plugin, It can't reproduced when disable plugin. Lookup kafka soource code: /kafka/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java The ranger plugin seems to modify the firstPrincipal in subject caused the bug. !image-2020-06-15-14-46-53-528.png! > Kafka with Ranger plugin will fail > ---------------------------------- > > Key: RANGER-2810 > URL: https://issues.apache.org/jira/browse/RANGER-2810 > Project: Ranger > Issue Type: Bug > Components: Ranger > Affects Versions: master, 2.0.0, 2.1.0 > Environment: CentOS Linux release 7.6.1810 (Core) > Ranger 2.0.0 > Reporter: bright.zhou > Assignee: Pradeep Agrawal > Priority: Blocker > Attachments: image-2020-06-15-14-46-53-528.png > > > We use Ranger plugin to admin acls of Kafka cluster. At first , everything is > ok, but after 10h+ of kafka start, there is something wrong occured, we can > see error log in kafka-root.log, the error log is `Authentication failed > during authentication due to xxx with SASL mechanism GSSAPI: GSS context targ > name protocol error: xxxxx `。To solve this we had to restart Kafka, It's so > strange that if i change `authorizer.class.name` to > `kafka.security.auth.SimpleAclAuthorizer` it will be ok . In theory, ranger > is related with acls and not related with SASL authentication,so i want to > ask for help. -- This message was sent by Atlassian Jira (v8.3.4#803005)