Hi, there.
I have a working 3-node kafka kraft mode network. Everything works fine
with no authentication. I am using new Kafka 3.6.
The node_id for the kraft controllers are "1000", "1001" and "1002".
There is a regular kafka broker with node_id "1".
I am trying to move that controller configuration to "scram-sha-256"
authentication. The steps I did were:
1. With the cluster unauthenticated, I created scram-sha-256 credentials
for users "1000", "1001" and "1002", using "kafka-configs.sh". The
credentials reached the quorum servers and and they were distributed to
the entire cluster, as inspection of "__cluster_metadata-0" storage
files showed.
2. I stopped the quorum servers and I added this to the configuration of
each one:
"""
listeners=CONTROLLER://:9093
# A comma-separated list of the names of the listeners used by the
controller.
# This is required if running in KRaft mode.
controller.listener.names=CONTROLLER
listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXT
# Maps listener names to security protocols, the default is for them to
be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
# KIP-631
sasl.mechanism.controller.protocol=SCRAM-SHA-256
sasl.enabled.mechanisms=SCRAM-SHA-256
listener.name.controller.sasl.enabled.mechanisms=SCRAM-SHA-256
listener.name.controller.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
required username="1001" password="XXXX";
"""
3. I launch the servers, that starts fine and they try to reach each
other. Nevertheless the authentication fails with this message:
"""
org.apache.kafka.common.errors.SaslAuthenticationException:
Authentication failed during authentication due to invalid credentials
with SASL mechanism SCRAM-SHA-256
"""
4. Checking with a sniffer (TLS encryption would be the next step, after
authentication is solved) I see something strange: The client connecting
sends the initial scram-sha-256 message, but it doesn't get the expected
server nonce, but an inmediate authentication error.
For example, one controller send this:
"n,,n=1001,r=3mgk0fnx45exolq50iej2o3vx" (expected initial client
message) and the other replies with "Authentication failed during
authentication due to invalid credentials with SASL mechanism
SCRAM-SHA-256". It looks like the user were not recognized or the
mechanism were not supported. I would expect a server handshake as
described in RFC 5802.
Any help?. Anybody with a similiar configuration?. Anybody could share
their working configuration?. Thanks.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
j...@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz