error when setup sasl-ssl (sasl/scram-sha-512)
3,009 views
Skip to first unread message
thuy nguyenthithu
Mar 28, 2018, 6:40:11 AM3/28/18
to kafka-clients
Hi all, when I config my cluster use sasl-ssl and design some java code. I got an error with my client
Failed to create channel due to (org.apache.kafka.common.network.SaslChannelBuilder)
org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
Caused by: org.apache.kafka.common.KafkaException: Principal could not be determined from Subject, this may be a transient failure due to Kerberos re-login
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.firstPrincipal(SaslClientAuthenticator.java:439)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.<init>(SaslClientAuthenticator.java:132)
at org.apache.kafka.common.network.SaslChannelBuilder.buildClientAuthenticator(SaslChannelBuilder.java:162)
at org.apache.kafka.common.network.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:126)
at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:274)
at org.apache.kafka.common.network.Selector.registerChannel(Selector.java:267)
at org.apache.kafka.common.network.Selector.connect(Selector.java:203)
at org.apache.kafka.clients.NetworkClient.initiateConnect(NetworkClient.java:793)
at org.apache.kafka.clients.NetworkClient.access$700(NetworkClient.java:62)
at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:944)
at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:848)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:458)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
at java.lang.Thread.run(Thread.java:748)
I don''t know where the error come from.
Can anyone help me? Thank you
Below is my properties:
properties.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.ByteArraySerializer");
properties.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.ByteArraySerializer");
properties.put("security.protocol","SASL_SSL");
properties.put("ssl.truststore.location","C:\\Users\\Dao\\server.truststore.jks");
properties.put("ssl.truststore.password","123456");
properties.put("ssl.keystore.location","C:\\Users\\Dao\\server.keystore.jks");
properties.put("ssl.keystore.password","123456");
properties.put("ssl.key.password","123456");
properties.put("ssl.truststore.type","JKS");
properties.put("ssl.keystore.type","JKS");
properties.put("ssl.enabled.protocols","TLSv1.2,TLSv1.1,TLSv1");
properties.put("sasl.mechanisms","SCRAM-SHA-512");
properties.put("sasl.jaas.config","org.apache.kafka.common.security.scram.ScramLoginModule required username='vpoint' password='vpoint-secret'
serviceName='zookeeper';");
properties.put("bootstrap.servers", policy.brokers);
my jaas_config:
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="vpoint"
password="vpoint-secret";
};
Manikumar
Mar 28, 2018, 6:53:39 AM3/28/18
to thuy nguyenthithu, kafka-clients
Not sure if you are trying use SASL/SCRAM or SASL/PLAIN.
You can configure either jaas.conf or sasl.jaas.config property. For SASL/PLAIN, you need to configure sasl.mechanism=PLAIN in client configs.
documentation here: http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
--
You received this message because you are subscribed to the Google Groups "kafka-clients" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kafka-clients+unsubscribe@googlegroups.com.
To post to this group, send email to kafka-...@googlegroups.com.
Visit this group at https://groups.google.com/group/kafka-clients.
To view this discussion on the web visit https://groups.google.com/d/msgid/kafka-clients/1dd3708e-2425-4f4c-bcf7-700ba1a10896%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Manikumar
Mar 28, 2018, 6:59:33 AM3/28/18
to thuy nguyenthithu, kafka-clients
For Scram client configs: http://kafka.apache.org/documentation/#security_sasl_scram_clientconfig
On Wed, Mar 28, 2018 at 4:23 PM, Manikumar <manikum...@gmail.com> wrote:
Not sure if you are trying use SASL/SCRAM or SASL/PLAIN.You can configure either jaas.conf or sasl.jaas.config property. For SASL/PLAIN, you need to configure sasl.mechanism=PLAIN in client configs.documentation here: http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
thuy nguyenthithu
Mar 28, 2018, 11:21:18 PM3/28/18
to kafka-clients
Hi ManiKumar Reddy,
Thanks for your response. But when I change my jaas.conf. The error still apear.
My jaas.conf
KafkaClient {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="vpoint"
password="vpoint-secret";
};Message has been deleted
thuy nguyenthithu
Mar 29, 2018, 12:31:11 AM3/29/18
to kafka-clients
Hi,
Problem was found because I set
properties.put("sasl.mechanisms","SCRAM-SHA-512");
instead of
properties.put("sasl.mechanism","SCRAM-SHA-512");Thank you for your support. However, I got another error:
ASL authentication failed using login context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
my jaas:
KafkaClient {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="vpoint"
password="vpoint-secret";
};
Client {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="vpoint"
password="vpoint-secret";
};
KafkaServer{
org.apache.kafka.common.security.scram.ScramLoginModule required
username="vpoint"
password="vpoint-secret"
user_admin="vpoint-secret";
};
Client {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="vpoint"
password="vpoint-secret"
user_admin="vpoint-secret";
};
Trân trọng,
------
Nguyễn Thị Thu Thúy,
--
You received this message because you are subscribed to a topic in the Google Groups "kafka-clients" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kafka-clients/zogGDbDDcMA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kafka-clients+unsubscribe@googlegroups.com.
To post to this group, send email to kafka-...@googlegroups.com.
Visit this group at https://groups.google.com/group/kafka-clients.
To view this discussion on the web visit https://groups.google.com/d/msgid/kafka-clients/35466885-ef90-47c4-858d-47df8d8d3b60%40googlegroups.com.
Manikumar
Mar 30, 2018, 12:43:11 PM3/30/18
to thuy nguyenthithu, kafka-clients
ZooKeeper does not support SASL/SCRAM authentication. You may want to enable Kerberos on ZK.
To enable ZK Kerberos authentication : http://kafka.apache.org/documentation/#security_sasl_kerberos_brokerconfig
--
You received this message because you are subscribed to the Google Groups "kafka-clients" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kafka-clients+unsubscribe@googlegroups.com.
To post to this group, send email to kafka-...@googlegroups.com.
Visit this group at https://groups.google.com/group/kafka-clients.
To view this discussion on the web visit https://groups.google.com/d/msgid/kafka-clients/CALPSr0AOYznikUSRT_Txsmp4o8rzYXewhy_ynYG1QGALmEX4qw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages