Dockerized Schema Registry with SASL Authentication
245 views
Skip to first unread message
Akshay Katyal
Sep 11, 2017, 10:14:54 AM9/11/17
to Confluent Platform
Hey,
I am trying to setup Confluent Schema Registry with Kerberos backed Kafka Cluster. Here is what my docker compose file looks like:
---
version: '2'
services:
zookeeper:
image: confluentinc/cp-zookeeper:3.3.0
container_name: gob-zk-sasl-1
network_mode: host
volumes:
- ./dev-setup:/etc/kafka/secrets
ports:
- "22181:22181"
environment:
ZOOKEEPER_SERVER_ID: 1
ZOOKEEPER_CLIENT_PORT: 22181
ZOOKEEPER_TICK_TIME: 2000
ZOOKEEPER_INIT_LIMIT: 5
ZOOKEEPER_SYNC_LIMIT: 2
KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_1_jaas.conf
-Djava.security.krb5.conf=/etc/kafka/secrets/krb.conf
-Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
-Dsun.security.krb5.debug=true
extra_hosts:
- "moby:127.0.0.1"
kafka:
image: confluentinc/cp-kafka:3.3.0
container_name: gob-kafka-sasl-1
volumes:
- ./dev-setup:/etc/kafka/secrets
depends_on:
- zookeeper
network_mode: host
ports:
- "29094:29094"
environment:
KAFKA_ZOOKEEPER_CONNECT: localhost:22181
KAFKA_ADVERTISED_LISTENERS: SASL_SSL://localhost:29094
KAFKA_SSL_KEYSTORE_FILENAME: kafka.broker1.keystore.jks
KAFKA_SSL_KEYSTORE_CREDENTIALS: broker1_keystore_creds
KAFKA_SSL_KEY_CREDENTIALS: broker1_sslkey_creds
KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.broker1.truststore.jks
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: broker1_truststore_creds
KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SASL_SSL
KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: GSSAPI
KAFKA_SASL_ENABLED_MECHANISMS: GSSAPI
KAFKA_SASL_KERBEROS_SERVICE_NAME: kafka
KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker1_jaas.conf
-Djava.security.krb5.conf=/etc/kafka/secrets/krb.conf
-Dsun.security.krb5.debug=true
extra_hosts:
- "moby:127.0.0.1"
schema-registry:
image: confluentinc/cp-schema-registry:3.3.0
container_name: gob-schema-registry
restart: on-failure:3
volumes:
- ./dev-setup:/etc/kafka/secrets
depends_on:
- zookeeper
- kafka
network_mode: host
ports:
- "8081:8081"
environment:
SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: localhost:22181
SCHEMA_REGISTRY_HOST_NAME: localhost
SCHEMA_REGISTRY_LISTENERS: http://localhost:8081
KAFKASTORE_BOOTSTRAP_SERVERS: SASL_SSL://localhost:29094
KAFKASTORE_SASL_KERBEROS_SERVICE_NAME: kafka
ZOOKEEPER_SET_ACL: "true"
KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.broker1.truststore.jks
KAFKASTORE_SSL_TRUSTSTORE_CREDENTIALS: /etc/kafka/secrets/broker1_truststore_creds
KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker1_jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf
-Dsun.security.krb5.debug=true
extra_hosts:
- "moby:127.0.0.1"
I get this in my container logs:
gob-schema-registry | ===> ENV Variables ...gob-schema-registry |gob-schema-registry | . /etc/confluent/docker/apply-mesos-overridesgob-schema-registry | + . /etc/confluent/docker/apply-mesos-overridesgob-schema-registry | #!/usr/bin/env bashgob-schema-registry | #gob-schema-registry | # Copyright 2016 Confluent Inc.gob-schema-registry | #gob-schema-registry | # Licensed under the Apache License, Version 2.0 (the "License");gob-schema-registry | # you may not use this file except in compliance with the License.gob-schema-registry | # You may obtain a copy of the License atgob-schema-registry | #gob-schema-registry | # http://www.apache.org/licenses/LICENSE-2.0gob-schema-registry | #gob-schema-registry | # Unless required by applicable law or agreed to in writing, softwaregob-schema-registry | # distributed under the License is distributed on an "AS IS" BASIS,gob-schema-registry | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.gob-schema-registry | # See the License for the specific language governing permissions andgob-schema-registry | # limitations under the License.gob-schema-registry |gob-schema-registry | # Mesos DC/OS docker deployments will have HOST and PORT0gob-schema-registry | # set for the proxying of the service.gob-schema-registry | #gob-schema-registry | # Use those values provide things we know we'll need.gob-schema-registry |gob-schema-registry | [ -n "${HOST:-}" ] && [ -z "${SCHEMA_REGISTRY_HOST_NAME:-}" ] && \gob-schema-registry | export SCHEMA_REGISTRY_HOST_NAME=$HOST || true # we don't want the setup to fail if not on Mesosgob-schema-registry | ++ '[' -n '' ']'gob-schema-registry | ++ truegob-schema-registry |gob-schema-registry |gob-schema-registry | echo "===> ENV Variables ..."gob-schema-registry | + echo '===> ENV Variables ...'gob-schema-registry | env | sortgob-schema-registry | + envgob-schema-registry | + sortgob-schema-registry | ALLOW_UNSIGNED=falsegob-schema-registry | COMPONENT=schema-registrygob-schema-registry | CONFLUENT_DEB_VERSION=1gob-schema-registry | CONFLUENT_MAJOR_VERSION=3gob-schema-registry | CONFLUENT_MINOR_VERSION=3gob-schema-registry | CONFLUENT_MVN_LABEL=gob-schema-registry | CONFLUENT_PATCH_VERSION=0gob-schema-registry | CONFLUENT_PLATFORM_LABEL=gob-schema-registry | CONFLUENT_VERSION=3.3.0gob-schema-registry | HOME=/rootgob-schema-registry | HOSTNAME=mobygob-schema-registry | KAFKASTORE_BOOTSTRAP_SERVERS=SASL_SSL://localhost:29094gob-schema-registry | KAFKASTORE_SASL_KERBEROS_SERVICE_NAME=kafkagob-schema-registry | KAFKASTORE_SSL_TRUSTSTORE_CREDENTIALS=/etc/kafka/secrets/broker1_truststore_credsgob-schema-registry | KAFKASTORE_SSL_TRUSTSTORE_LOCATION=/etc/kafka/secrets/kafka.broker1.truststore.jksgob-schema-registry | KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets/broker1_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=truegob-schema-registry | KAFKA_VERSION=0.11.0.0gob-schema-registry | LANG=C.UTF-8gob-schema-registry | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bingob-schema-registry | PWD=/gob-schema-registry | PYTHON_PIP_VERSION=8.1.2gob-schema-registry | PYTHON_VERSION=2.7.9-1gob-schema-registry | SCALA_VERSION=2.11gob-schema-registry | SCHEMA_REGISTRY_HOST_NAME=localhostgob-schema-registry | SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL=localhost:22181gob-schema-registry | SCHEMA_REGISTRY_LISTENERS=http://localhost:8081gob-schema-registry | SHLVL=1gob-schema-registry | ZOOKEEPER_SET_ACL=truegob-schema-registry | ZULU_OPENJDK_VERSION=8=8.17.0.3gob-schema-registry | _=/usr/bin/envgob-schema-registry | affinity:container==73bad4b40944a2346647515d5dd7772eb2144f2827aed77193852cbe8654fa2fgob-schema-registry | no_proxy=*.local, 169.254/16gob-schema-registry | ===> Usergob-schema-registry |gob-schema-registry | echo "===> User"gob-schema-registry | + echo '===> User'gob-schema-registry | idgob-schema-registry | + idgob-schema-registry | uid=0(root) gid=0(root) groups=0(root)gob-schema-registry | ===> Configuring ...gob-schema-registry |gob-schema-registry | echo "===> Configuring ..."gob-schema-registry | + echo '===> Configuring ...'gob-schema-registry | /etc/confluent/docker/configuregob-schema-registry | + /etc/confluent/docker/configuregob-schema-registry |gob-schema-registry | dub ensure SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URLgob-schema-registry | + dub ensure SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URLgob-schema-registry | dub ensure SCHEMA_REGISTRY_HOST_NAMEgob-schema-registry | + dub ensure SCHEMA_REGISTRY_HOST_NAMEgob-schema-registry | dub path /etc/"${COMPONENT}"/ writablegob-schema-registry | + dub path /etc/schema-registry/ writablegob-schema-registry |gob-schema-registry | if [[ -n "${SCHEMA_REGISTRY_PORT-}" ]]gob-schema-registry | thengob-schema-registry | echo "PORT is deprecated. Please use SCHEMA_REGISTRY_LISTENERS instead."gob-schema-registry | exit 1gob-schema-registry | figob-schema-registry | + [[ -n '' ]]gob-schema-registry |gob-schema-registry | if [[ -n "${SCHEMA_REGISTRY_JMX_OPTS-}" ]]gob-schema-registry | thengob-schema-registry | if [[ ! $SCHEMA_REGISTRY_JMX_OPTS == *"com.sun.management.jmxremote.rmi.port"* ]]gob-schema-registry | thengob-schema-registry | echo "SCHEMA_REGISTRY_OPTS should contain 'com.sun.management.jmxremote.rmi.port' property. It is required for accessing the JMX metrics externally."gob-schema-registry | figob-schema-registry | figob-schema-registry | + [[ -n '' ]]gob-schema-registry |gob-schema-registry | dub template "/etc/confluent/docker/${COMPONENT}.properties.template" "/etc/${COMPONENT}/${COMPONENT}.properties"gob-schema-registry | + dub template /etc/confluent/docker/schema-registry.properties.template /etc/schema-registry/schema-registry.propertiesgob-schema-registry | dub template "/etc/confluent/docker/log4j.properties.template" "/etc/${COMPONENT}/log4j.properties"gob-schema-registry | + dub template /etc/confluent/docker/log4j.properties.template /etc/schema-registry/log4j.propertiesgob-schema-registry | dub template "/etc/confluent/docker/admin.properties.template" "/etc/${COMPONENT}/admin.properties"gob-schema-registry | + dub template /etc/confluent/docker/admin.properties.template /etc/schema-registry/admin.propertiesgob-schema-registry |gob-schema-registry | echo "===> Running preflight checks ... "gob-schema-registry | + echo '===> Running preflight checks ... 'gob-schema-registry | /etc/confluent/docker/ensuregob-schema-registry | ===> Running preflight checks ...gob-schema-registry | + /etc/confluent/docker/ensuregob-schema-registry |gob-schema-registry | echo "===> Check if Zookeeper is healthy ..."gob-schema-registry | + echo '===> Check if Zookeeper is healthy ...'gob-schema-registry | cub zk-ready "$SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL" "${SCHEMA_REGISTRY_CUB_ZK_TIMEOUT:-40}"gob-schema-registry | ===> Check if Zookeeper is healthy ...gob-schema-registry | + cub zk-ready localhost:22181 40gob-schema-registry | SASL is enabled. java.security.auth.login.config=/etc/kafka/secrets/broker1_jaas.confgob-schema-registry | Client environment:zookeeper.version=3.4.6-1569965, built on 02/20/2014 09:09 GMTgob-schema-registry | Client environment:host.name=localhostgob-schema-registry | Client environment:java.version=1.8.0_102gob-schema-registry | Client environment:java.vendor=Azul Systems, Inc.gob-schema-registry | Client environment:java.home=/usr/lib/jvm/zulu-8-amd64/jregob-schema-registry | Client environment:java.class.path=/etc/confluent/docker/docker-utils.jargob-schema-registry | Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/libgob-schema-registry | Client environment:java.io.tmpdir=/tmpgob-schema-registry | Client environment:java.compiler=<NA>gob-schema-registry | Client environment:os.name=Linuxgob-schema-registry | Client environment:os.arch=amd64gob-schema-registry | Client environment:os.version=4.9.41-mobygob-schema-registry | Client environment:user.name=rootgob-schema-registry | Client environment:user.home=/rootgob-schema-registry | Client environment:user.dir=/gob-schema-registry | Initiating client connection, connectString=localhost:22181 sessionTimeout=40000 watcher=io.confluent.admin.utils.ZookeeperConnectionWatcher@45ff54e6gob-schema-registry | >>> KeyTabInputStream, readName(): TEST.GETSTRIKE.COgob-schema-registry | >>> KeyTabInputStream, readName(): zkclientgob-schema-registry | >>> KeyTabInputStream, readName(): localhostgob-schema-registry | >>> KeyTab: load() entry length: 71; type: 23gob-schema-registry | >>> KeyTabInputStream, readName(): TEST.GETSTRIKE.COgob-schema-registry | >>> KeyTabInputStream, readName(): zkclientgob-schema-registry | >>> KeyTabInputStream, readName(): localhostgob-schema-registry | >>> KeyTab: load() entry length: 79; type: 16gob-schema-registry | >>> KeyTabInputStream, readName(): TEST.GETSTRIKE.COgob-schema-registry | >>> KeyTabInputStream, readName(): zkclientgob-schema-registry | >>> KeyTabInputStream, readName(): localhostgob-schema-registry | >>> KeyTab: load() entry length: 63; type: 1gob-schema-registry | Looking for keys for: zkclient/loca...@TEST.GETSTRIKE.COgob-schema-registry | Java config name: /etc/krb5.confgob-schema-registry | Found unsupported keytype (1) for zkclient/loca...@TEST.GETSTRIKE.COgob-schema-registry | Added key: 16version: 1gob-schema-registry | Added key: 23version: 1gob-schema-registry | >>> KdcAccessibility: resetgob-schema-registry | Looking for keys for: zkclient/loca...@TEST.GETSTRIKE.COgob-schema-registry | Found unsupported keytype (1) for zkclient/loca...@TEST.GETSTRIKE.COgob-schema-registry | Added key: 16version: 1gob-schema-registry | Added key: 23version: 1gob-schema-registry | Using builtin default etypes for default_tkt_enctypesgob-schema-registry | default etypes for default_tkt_enctypes: 17 16 23.gob-schema-registry | >>> KrbAsReq creating messagegob-schema-registry | getKDCFromDNS using UDPgob-schema-registry | getKDCFromDNS using TCPgob-schema-registry | SASL configuration failed: javax.security.auth.login.LoginException: Cannot locate KDC Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.gob-schema-registry | Opening socket connection to server localhost/127.0.0.1:22181gob-schema-registry | Error occurred while connecting to Zookeeper server[localhost:22181]. Authentication failed.gob-schema-registry | Socket connection established to localhost/127.0.0.1:22181, initiating sessiongob-schema-registry | Session establishment complete on server localhost/127.0.0.1:22181, sessionid = 0x15e71077792000a, negotiated timeout = 40000gob-schema-registry | Session: 0x15e71077792000a closedgob-schema-registry | EventThread shut downgob-schema-registry exited with code 1
This is what the jaas conf looks like for the schema registry:
// Kafka Client authentication
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/kafka/secrets/schemaregistry.keytab"
principal="schemaregistry/loca...@TEST.GETSTRIKE.CO";
};
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/kafka/secrets/zkclient1.keytab"
principal="zkclient/loca...@TEST.GETSTRIKE.CO";
};
Looks like the schema registry is unable to locate KDC. Not sure what is wrong here. I am guessing I am missing something out in the docker compose file. Can someone help me out with this?
Akshay Katyal
Sep 13, 2017, 7:29:16 AM9/13/17
to Confluent Platform
Anyone have any idea what is going on here? Any help would be really appreciated. Stuck on this for a while now.
gob-schema-registry | Looking for keys for: zkclient/localhost@TEST.GETSTRIKE.CO
gob-schema-registry | Java config name: /etc/krb5.conf
gob-schema-registry | Found unsupported keytype (1) for zkclient/localhost@TEST.GETSTRIKE.CO
gob-schema-registry | Added key: 16version: 1gob-schema-registry | Added key: 23version: 1gob-schema-registry | >>> KdcAccessibility: reset
gob-schema-registry | Looking for keys for: zkclient/localhost@TEST.GETSTRIKE.COgob-schema-registry | Found unsupported keytype (1) for zkclient/localhost@TEST.GETSTRIKE.CO
gob-schema-registry | Added key: 16version: 1gob-schema-registry | Added key: 23version: 1gob-schema-registry | Using builtin default etypes for default_tkt_enctypesgob-schema-registry | default etypes for default_tkt_enctypes: 17 16 23.gob-schema-registry | >>> KrbAsReq creating messagegob-schema-registry | getKDCFromDNS using UDPgob-schema-registry | getKDCFromDNS using TCPgob-schema-registry | SASL configuration failed: javax.security.auth.login.LoginException: Cannot locate KDC Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.gob-schema-registry | Opening socket connection to server localhost/127.0.0.1:22181gob-schema-registry | Error occurred while connecting to Zookeeper server[localhost:22181]. Authentication failed.gob-schema-registry | Socket connection established to localhost/127.0.0.1:22181, initiating sessiongob-schema-registry | Session establishment complete on server localhost/127.0.0.1:22181, sessionid = 0x15e71077792000a, negotiated timeout = 40000gob-schema-registry | Session: 0x15e71077792000a closedgob-schema-registry | EventThread shut downgob-schema-registry exited with code 1
This is what the jaas conf looks like for the schema registry:
// Kafka Client authentication
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/kafka/secrets/schemaregistry.keytab"
principal="schemaregistry/localh...@TEST.GETSTRIKE.CO";
};
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/kafka/secrets/zkclient1.keytab"
principal="zkclient/localhost@TEST.GETSTRIKE.CO";
};
Reply all
Reply to author
Forward
0 new messages