Re: Can't produce message with SASL: timeout error

[Stephane Maarek]

It seems to be conflicting when I try running the commands on the same box
as where Kafka is running. I think it was inheriting Kafka's principal
somehow and not the kafkaclient principal. When moving to another box all
seems to work ! An odd one I see if I can reproduce and open a JIRA

On 17 Feb. 2017 4:54 pm, "Manikumar" <manikumar.re...@gmail.com> wrote:

Pl enable authorizer logs ( config/log4j.properties) and check if
operations are getting denied.
Also, enable producer debug logs (config/tools-log4j.properties)  to check
for any errors.

On Fri, Feb 17, 2017 at 10:34 AM, Stephane Maarek <
steph...@simplemachines.com.au> wrote:

> Hi,
>
> I secured my cluster and everything was working fine. Brokers are up and
> don’t complain, my topics are all synchronized.
>
> Here’s my config (excerpt):
> listeners=
> PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093,SASL_PLAINTEXT://0.0.0.0:9094
> ,SASL_SSL://0.0.0.0:9095
> super.users=User:kafka;User:ANONYMOUS
>
> I can publish and read messages from port 9092, but when trying on 9094 I
> get the following errors:
>
> /etc/kafka# KAFKA_OPTS="-Djava.security.krb5.conf=/etc/kafka/krb5.conf
> -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf"
> kafka-console-producer  --topic sasltest --broker-list localhost:9094
> --producer-property security.protocol=SASL_PLAINTEXT --producer-property
> sasl.mechanism=GSSAPI --producer-property sasl.kerberos.service.name=kafka
> hi
> [2017-02-17 04:41:47,275] ERROR Error when sending message to topic
> sasltest with key: null, value: 2 bytes with error:
> (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
> org.apache.kafka.common.errors.TimeoutException: Failed to update metadata
> after 60000 ms.
>
>
> I did permission my user using the following:
>
> root@ip-10-13-80-172:/#
> KAFKA_OPTS="-Djava.security.krb5.conf=/etc/kafka/krb5.conf
> -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf"
> kafka-acls --add --allow-principal User:sa_sasltest_dev_1
> --authorizer-properties zookeeper.connect=zoo1:2181/kafka-xfs --producer
> --topic sasltest
> Adding ACLs for resource `Topic:sasltest`:
>      User:sa_sasltest_dev_1 has Allow permission for operations: Write
from
> hosts: *
>     User:sa_sasltest_dev_1 has Allow permission for operations: Describe
> from hosts: *
>
> Adding ACLs for resource `Cluster:kafka-cluster`:
>      User:sa_sasltest_dev_1 has Allow permission for operations: Create
> from hosts: *
>
> Current ACLs for resource `Topic:sasltest`:
>      User:sa_sasltest_dev_1 has Allow permission for operations: Write
from
> hosts: *
>     User:sa_sasltest_dev_1 has Allow permission for operations: Describe
> from hosts: *
>
> root@ip-10-13-80-172:/#
> KAFKA_OPTS="-Djava.security.krb5.conf=/etc/kafka/krb5.conf
> -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf"
> kafka-acls --add --allow-principal User:sa_sasltest_dev_1
> --authorizer-properties zookeeper.connect=zoo1:2181/kafka-xfs --consumer
> --topic sasltest --group sasltest-1
> Adding ACLs for resource `Topic:sasltest`:
>      User:sa_sasltest_dev_1 has Allow permission for operations: Describe
> from hosts: *
>     User:sa_sasltest_dev_1 has Allow permission for operations: Read from
> hosts: *
>
> Adding ACLs for resource `Group:sasltest-1`:
>      User:sa_sasltest_dev_1 has Allow permission for operations: Read from
> hosts: *
>
> Current ACLs for resource `Topic:sasltest`:
>      User:sa_sasltest_dev_1 has Allow permission for operations: Write
from
> hosts: *
>     User:sa_sasltest_dev_1 has Allow permission for operations: Describe
> from hosts: *
>     User:sa_sasltest_dev_1 has Allow permission for operations: Read from
> hosts: *
>
> Current ACLs for resource `Group:sasltest-1`:
>      User:sa_sasltest_dev_1 has Allow permission for operations: Read from
> hosts: *
>
>
> *Am I missing some permissions? Do you have any idea what could be wrong?*
>
> Thanks for the help you’ve given me so far!
> Stephane
>