Hi all,
I have 3-node ZK and Kafka clusters. I have secured ZK with SASL. I got
the keytabs done for my brokers and they can connect to the ZK ensemble
just fine with no issues. All gravy!
Now, I am trying to set ACLs using the kafka-acls.sh CLI. Before that, I
did export the KAFKA_OPTS using the following command:
export
KAFKA_OPTS="-Djava.security.auth.login.config=<path>/kafka_server_jaas.conf
-Djavax.net.debug=all -Dsun.security.krb5.debug=true -Djavax.net.debug=all
-Dsun.security.krb5.debug=true -Djava.security.krb5.conf=<path to krb
conf>/krb5.conf"
I enabled extra debugging too. The JAAS file has the following info:
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/<hostname>+kafka.keytab"
principal="kafka/<hostname>@MY_DOMAIN";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=true
storeKey=true
keyTab="/etc/<hostname>+kafka.keytab"
principal="kafka/<hostname>@MY_DOMAIN";
};
Note that I enabled useTicketCache in the client section.
I know that my krb5.conf file is good since the brokers are healthy and
consumer/producers are able to do their work.
Two scenarios:
1. When I enabled the useTicketCache=true, I get the following error:
*Aug 08, 2016 8:42:46 PM org.apache.zookeeper.ClientCnxn$SendThread
startConnectWARNING: SASL configuration failed:
javax.security.auth.login.LoginException: No key to store Will continue
connection to Zookeeper server without SASL authentication, if Zookeeper
server allows it.*
I execute "kinit kafka/<hostname>@<MY_DOMAIN> -k -t
/etc/<hostname>+kafka.keytab " on the same shell where I run the .sh CLI
tool.
2. When I remove userTicketCache, I get the following error:
*Aug 08, 2016 9:03:38 PM org.apache.zookeeper.ZooKeeper closeINFO: Session:
0x356621f18f70009 closedError while executing ACL command:
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /kafka-acl/TopicAug 08, 2016 9:03:38 PM
org.apache.zookeeper.ClientCnxn$EventThread runINFO: EventThread shut
downorg.I0Itec.zkclient.exception.ZkException:
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /kafka-acl/Topic at
org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)*
Here is the command I run to set the ACLs in all cases:
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<zk-host>:2181
--add --allow-principal User:Bob --producer --topic ssl-topic
I use Kafka 0.9.0.1. Note that I am using the same keytabs that my Brokers
(Kafka services) are using.
Any ideas what I am doing wrong or what I should do differently to get ACLs
set?
Thanks,
Derar
