Hi,
So we specifically kept the consumers to world writable in secure
mode. This is to allow zookeeper based consumers to create their own child
nodes under /consumers and they can add their own sasl based acls on top of
it. From the looks of it incase of zookeeper digest based connection it
expects all the nodes to have an ACL on it. This could be an issue with
ZkClient tha we use or we need to navigate this case differently. Can you
file a JIRA for this.
Thanks,
Harsha
On Thu, Jul 7, 2016 at 10:48 PM Vipul Sharma <vipulsharma2...@gmail.com>
wrote:
> I am running zookeeper and kafka on local machine.
> This is the user permission on zookeeper
> [zk: localhost:2181(CONNECTED) 0] getAcl /
> 'digest,'broker:TqgUewyrgBbYEWTfsNStYmIfD2Q=
> : cdrwa
>
> I am using the same user in kafka to connect to this local zookeeper
>
> /usr/lib/jvm/java-8-oracle-amd64/bin/java -Xmx200m -Xms200m
> -Djava.security.auth.login.config=/opt/kafka/config/jaas.conf -server
> -Djava.awt.headless=true -XX:PermSize=48m -XX:MaxPermSize=48m -XX:+UseG1GC
> -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35
> -Xloggc:/var/log/kafka/kafka-gc.log -XX:+PrintGCDateStamps
> -XX:+PrintGCTimeStamps -Dcom.sun.management.jmxremote
> -Dcom.sun.management.jmxremote.authenticate=false
> -Dcom.sun.management.jmxremote.ssl=false
> -Dcom.sun.management.jmxremote.port=9999
> -Dkafka.logs.dir=/opt/kafka/bin/../logs
> -Dlog4j.configuration=file:/opt/kafka/config/log4j.properties -cp
> :/opt/kafka/bin/../libs/* kafka.Kafka /opt/kafka/config/server.properties
>
> root@default-ubuntu-1404:~# cat /opt/kafka/config/jaas.conf
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username=broker
> password=password;
> };
>
>
> The kafka start fails with these logs
>
> [2016-07-08 05:43:32,326] INFO Client
>
> environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,327] INFO Client environment:java.io.tmpdir=/tmp
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,327] INFO Client environment:java.compiler=<NA>
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,327] INFO Client environment:os.name=Linux
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,328] INFO Client environment:os.arch=amd64
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,328] INFO Client
> environment:os.version=4.2.0-35-generic (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,328] INFO Client environment:user.name=root
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,329] INFO Client environment:user.home=/root
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,329] INFO Client environment:user.dir=/root
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,330] INFO Initiating client connection,
> connectString=default-ubuntu-1404:2181,localhost:2181 sessionTimeout=6000
> watcher=org.I0Itec.zkclient.ZkClient@bef2d72
> (org.apache.zookeeper.ZooKeeper)
> [2016-07-08 05:43:32,359] INFO Waiting for keeper state SaslAuthenticated
> (org.I0Itec.zkclient.ZkClient)
> [2016-07-08 05:43:32,362] INFO successfully logged in.
> (org.apache.zookeeper.Login)
> [2016-07-08 05:43:32,363] INFO Client will use DIGEST-MD5 as SASL
> mechanism. (org.apache.zookeeper.client.ZooKeeperSaslClient)
> [2016-07-08 05:43:32,507] INFO Opening socket connection to server
> localhost/0:0:0:0:0:0:0:1:2181. Will attempt to SASL-authenticate using
> Login Context section 'Client' (org.apache.zookeeper.ClientCnxn)
> [2016-07-08 05:43:32,519] INFO Socket connection established to
> localhost/0:0:0:0:0:0:0:1:2181, initiating session
> (org.apache.zookeeper.ClientCnxn)
> [2016-07-08 05:43:32,537] INFO Session establishment complete on server
> localhost/0:0:0:0:0:0:0:1:2181, sessionid = 0x155c8e99f690005, negotiated
> timeout = 6000 (org.apache.zookeeper.ClientCnxn)
> [2016-07-08 05:43:32,541] INFO zookeeper state changed (SyncConnected)
> (org.I0Itec.zkclient.ZkClient)
> [2016-07-08 05:43:32,564] INFO zookeeper state changed (SaslAuthenticated)
> (org.I0Itec.zkclient.ZkClient)
> [2016-07-08 05:43:32,614] FATAL Fatal error during KafkaServer startup.
> Prepare to shutdown (kafka.server.KafkaServer)
> org.I0Itec.zkclient.exception.ZkException:
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /consumers
> at org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)
> at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:1000)
> at org.I0Itec.zkclient.ZkClient.create(ZkClient.java:527)
> at org.I0Itec.zkclient.ZkClient.createPersistent(ZkClient.java:293)
> at kafka.utils.ZkPath$.createPersistent(ZkUtils.scala:938)
> at kafka.utils.ZkUtils.makeSurePersistentPathExists(ZkUtils.scala:340)
> at kafka.utils.ZkUtils$$anonfun$setupCommonPaths$1.apply(ZkUtils.scala:175)
> at kafka.utils.ZkUtils$$anonfun$setupCommonPaths$1.apply(ZkUtils.scala:174)
> at scala.collection.immutable.List.foreach(List.scala:381)
> at kafka.utils.ZkUtils.setupCommonPaths(ZkUtils.scala:174)
> at kafka.server.KafkaServer.initZk(KafkaServer.scala:298)
> at kafka.server.KafkaServer.startup(KafkaServer.scala:180)
> at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37)
> at kafka.Kafka$.main(Kafka.scala:67)
> at kafka.Kafka.main(Kafka.scala)
> Caused by: org.apache.zookeeper.KeeperException$NoAuthException:
> KeeperErrorCode = NoAuth for /consumers
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
> at org.I0Itec.zkclient.ZkConnection.create(ZkConnection.java:99)
> at org.I0Itec.zkclient.ZkClient$3.call(ZkClient.java:530)
> at org.I0Itec.zkclient.ZkClient$3.call(ZkClient.java:527)
> at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:990)
> ... 13 more
> [2016-07-08 05:43:32,627] INFO shutting down (kafka.server.KafkaServer)
> [2016-07-08 05:43:32,639] INFO shut down completed
> (kafka.server.KafkaServer)
> [2016-07-08 05:43:32,640] FATAL Fatal error during KafkaServerStartable
> startup. Prepare to shutdown (kafka.server.KafkaServerStartable)
>
>
> Why is broker user not able to create the child znodes even though it has
> create permissions.
> Stuck on this since a day. Please help
>
>
>
>
>
> Regards
> Vipul Sharma
>
