Enabling SASL/Plain on kerberos-enabled cluster (multiple SASL mechanisms in a broker (GSSAPI and PLAIN)

mliem — Thu, 07 Sep 2017 01:23:50 GMT

Hello,

I have a kerberos-enabled cluster and trying to enable SASL/PLAIN as well on the same broker. SASL (GSSAPI) works fine.

These are the steps i took:

1) Added PlainLoginModule to kafka_jaas.conf (all other sections already there due to kerberos)

KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="{{kafka_keytab_path}}"
storeKey=true
useTicketCache=false
serviceName="{{kafka_bare_jaas_principal}}"
principal="{{kafka_jaas_principal}}";

org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
renewTicket=true
serviceName="{{kafka_bare_jaas_principal}}";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="{{kafka_keytab_path}}"
storeKey=true
useTicketCache=false
serviceName="zookeeper"
principal="{{kafka_jaas_principal}}";
};

I've also validated, -Djava.security.auth.login.config=/usr/hdp/current/kafka-broker/config/kafka_jaas.conf is being loaded (ps -ef | grep kafka_jaas.conf)

2) Created a kafka_plain_jaas_client.conf

KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="alice"
  password="alice-secret";
};

3) Update to server.properties

sasl.enabled.mechanisms=GSSAPI,PLAIN
advertised.listeners=PLAINTEXTSASL://ip-123-0-0-12.ec2.internal:6667

4) Producer.proerties

security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN

5) Restarted Kafka

When I use the old kafka_client_jaas that references com.sun.security.auth.module.Krb5LoginModule, everything still works but using the new client_jaas with plainLoginModule I get:

kafka@ip-170-0-0-12:/usr/hdp/current/kafka-broker/bin$ /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list ip-170-0-0-12.ec2.internal:6667 --topic ssl_plain_test -producer.config /usr/hdp/current/kafka-broker/conf/producer.properties --security-protocol PLAINTEXTSASL
d
[2017-09-06 18:13:56,982] WARN Error while fetching metadata with correlation id 0 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)
[2017-09-06 18:13:57,183] WARN Error while fetching metadata with correlation id 1 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)
[2017-09-06 18:13:57,284] WARN Error while fetching metadata with correlation id 2 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)
[2017-09-06 18:13:57,385] WARN Error while fetching metadata with correlation id 3 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)
[2017-09-06 18:13:57,485] WARN Error while fetching metadata with correlation id 4 : {ssl_plain_test=UNKNOWN_TOPIC_OR_PARTITION} (org.apache.kafka.clients.NetworkClient)

I edited: /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh to point to my client_jaas:

export KAFKA_CLIENT_KERBEROS_PARAMS="-Djava.security.auth.login.config=$KAFKA_HOME/config/kafka_plain_jaas_client.conf"

Any ideas?

Thanks!

Re: Enabling SASL/Plain on kerberos-enabled cluster (multiple SASL mechanisms in a broker (GSSAPI and PLAIN)

mkumar2 — Wed, 13 Sep 2017 12:19:50 GMT

@mliem this looks like authorization issue. we need to add ACLs for user alice

question Re: Enabling SASL/Plain on kerberos-enabled cluster (multiple SASL mechanisms in a broker (GSSAPI and PLAIN) in Support Questions

Enabling SASL/Plain on kerberos-enabled cluster (multiple SASL mechanisms in a broker (GSSAPI and PLAIN)

Re: Enabling SASL/Plain on kerberos-enabled cluster (multiple SASL mechanisms in a broker (GSSAPI and PLAIN)