Just for the record. The Kafka/ZK clusters were in a bad state that caused
this issue. I nuked the data dirs both ZK and Kafka and things work fine.
Unfortunately, I couldn't reproduce the error.
On Mon, Aug 8, 2016 at 5:10 PM, BigData dev <bigdatadev...@gmail.com> wrote:
> Hi,
> I think jaas config file need to be changed.
>
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/etc/security/keytabs/kafka.service.keytab"
> storeKey=true
> useTicketCache=false
> serviceName="zookeeper"
> principal="kafka/hostname.abc....@abc.com";
> };
>
>
> You can follow the blog which provides complete steps for Kafka ACLS
>
> https://developer.ibm.com/hadoop/2016/07/20/kafka-acls/
>
>
>
> Thanks,
>
> Bharat
>
>
>
>
> On Mon, Aug 8, 2016 at 2:08 PM, Derar Alassi <derar.ala...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > I have 3-node ZK and Kafka clusters. I have secured ZK with SASL. I got
> > the keytabs done for my brokers and they can connect to the ZK ensemble
> > just fine with no issues. All gravy!
> >
> > Now, I am trying to set ACLs using the kafka-acls.sh CLI. Before that, I
> > did export the KAFKA_OPTS using the following command:
> >
> >
> > export KAFKA_OPTS="-Djava.security.auth.login.config=<path>/
> > kafka_server_jaas.conf
> > -Djavax.net.debug=all -Dsun.security.krb5.debug=true
> -Djavax.net.debug=all
> > -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=<path to krb
> > conf>/krb5.conf"
> >
> > I enabled extra debugging too. The JAAS file has the following info:
> >
> > KafkaServer {
> > com.sun.security.auth.module.Krb5LoginModule required
> > useKeyTab=true
> > storeKey=true
> > keyTab="/etc/<hostname>+kafka.keytab"
> > principal="kafka/<hostname>@MY_DOMAIN";
> > };
> > Client {
> > com.sun.security.auth.module.Krb5LoginModule required
> > useKeyTab=true
> > useTicketCache=true
> > storeKey=true
> > keyTab="/etc/<hostname>+kafka.keytab"
> > principal="kafka/<hostname>@MY_DOMAIN";
> > };
> >
> > Note that I enabled useTicketCache in the client section.
> >
> > I know that my krb5.conf file is good since the brokers are healthy and
> > consumer/producers are able to do their work.
> >
> > Two scenarios:
> >
> > 1. When I enabled the useTicketCache=true, I get the following error:
> >
> > *Aug 08, 2016 8:42:46 PM org.apache.zookeeper.ClientCnxn$SendThread
> > startConnectWARNING: SASL configuration failed:
> > javax.security.auth.login.LoginException: No key to store Will continue
> > connection to Zookeeper server without SASL authentication, if Zookeeper
> > server allows it.*
> >
> > I execute "kinit kafka/<hostname>@<MY_DOMAIN> -k -t
> > /etc/<hostname>+kafka.keytab " on the same shell where I run the .sh CLI
> > tool.
> > 2. When I remove userTicketCache, I get the following error:
> >
> >
> >
> >
> >
> >
> >
> >
> > *Aug 08, 2016 9:03:38 PM org.apache.zookeeper.ZooKeeper closeINFO:
> Session:
> > 0x356621f18f70009 closedError while executing ACL command:
> > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> > NoAuth for /kafka-acl/TopicAug 08, 2016 9:03:38 PM
> > org.apache.zookeeper.ClientCnxn$EventThread runINFO: EventThread shut
> > downorg.I0Itec.zkclient.exception.ZkException:
> > org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> > NoAuth for /kafka-acl/Topic at
> > org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)*
> >
> >
> > Here is the command I run to set the ACLs in all cases:
> > ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<zk-host>:
> > 2181
> > --add --allow-principal User:Bob --producer --topic ssl-topic
> >
> >
> > I use Kafka 0.9.0.1. Note that I am using the same keytabs that my
> Brokers
> > (Kafka services) are using.
> >
> >
> > Any ideas what I am doing wrong or what I should do differently to get
> ACLs
> > set?
> >
> > Thanks,
> > Derar
> >
>
