Hi Team,
We are using Kafka 0.10 with Kerberos security . We have a use case where we
want to use a DNS alias name instead of the physical hostnames in the
"bootstrap.servers" property . Using DNS alias name is helpful from operational
perspective ( ex : it's easy to add/remove new brokers in the cluster without
any code change on the app side )
When we use the DNS alias name , the client is unable to authenticate to the
Kafka broker .
props.put("bootstrap.servers",
"kafka.vipTesting.test.kafka.nimbus.abc.com:XXXX");
props.put("security.protocol", "SASL_PLAINTEXT");
props.put("sasl.kerberos.service.name", "kafka");
props.put("group.id", "ashish-group");
props.put("key.deserializer",
"org.apache.kafka.common.serialization.StringDeserializer");
props.put("value.deserializer",
"org.apache.kafka.common.serialization.StringDeserializer");
We get below error :
16:02:03.924 [main] DEBUG o.a.k.c.c.i.AbstractCoordinator - Sending coordinator
request for group ashish-group to broker
kafka.vipTesting.test.kafka.nimbus.abc.com:XXXX (id: -1 rack: null)
16:02:04.011 [main] DEBUG o.apache.kafka.clients.NetworkClient - Initiating
connection to node -1 at kafka.vipTesting.test.kafka.nimbus.abc.com:XXXX.
16:02:04.038 [main] DEBUG o.a.k.c.s.a.SaslClientAuthenticator - Set SASL client
state to SEND_HANDSHAKE_REQUEST
16:02:04.045 [main] DEBUG o.a.k.c.s.a.SaslClientAuthenticator - Creating
SaslClient:
client=kafka_ba...@xx.com;service=kafka;serviceHostname=kafka.vipTesting.test.kafka.nimbus.abc.com;mechs=[GSSAPI]
16:02:04.117 [main] DEBUG o.a.kafka.common.metrics.Metrics - Added sensor with
name node--1.bytes-sent
16:02:04.118 [main] DEBUG o.a.kafka.common.metrics.Metrics - Added sensor with
name node--1.bytes-received
16:02:04.121 [main] DEBUG o.a.kafka.common.metrics.Metrics - Added sensor with
name node--1.latency
16:02:04.180 [main] DEBUG o.a.k.c.s.a.SaslClientAuthenticator - Set SASL client
state to RECEIVE_HANDSHAKE_RESPONSE
16:02:04.180 [main] DEBUG o.apache.kafka.clients.NetworkClient - Completed
connection to node -1
16:02:04.311 [main] DEBUG o.a.k.c.s.a.SaslClientAuthenticator - Set SASL client
state to INITIAL
16:02:04.352 [main] DEBUG o.a.kafka.common.network.Selector - Connection with
kafka.vipTesting.test.kafka.nimbus.abc.com/XX.YY.BB.MMMM disconnected
javax.security.sasl.SaslException: An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7) -
LOOKING_UP_SERVER)]) occurred when evaluating SASL token received from the
Kafka Broker. Kafka Client will go to AUTH_FAILED state.
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:293)
~[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslToken(SaslClientAuthenticator.java:210)
~[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:178)
~[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:64)
~[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:318)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.common.network.Selector.poll(Selector.java:283)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:260)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.clientPoll(ConsumerNetworkClient.java:360)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:224)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:192)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:163)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:179)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.consumer.KafkaConsumer.pollOnce(KafkaConsumer.java:973)
[kafka-clients-0.10.0.0_2.jar:na]
at
org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:937)
[kafka-clients-0.10.0.0_2.jar:na]
at
main.java.Kafka.sasl.kerberos.KafkaConsumer_Kerberos.main(KafkaConsumer_Kerberos.java:42)
[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.8.0_11]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[na:1.8.0_11]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.8.0_11]
at java.lang.reflect.Method.invoke(Method.java:483)
~[na:1.8.0_11]
at
com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
[idea_rt.jar:na]
Caused by: javax.security.sasl.SaslException: GSS initiate failed
