https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56230#M63264 <P>Well as far as I can read the code I've cited, there is problem when Kafka wants to list roles, and it want to do this when caching Sentry privileges is enabled.</P><P>&nbsp;</P><P>When I:</P><P>1. In Kafka configuration disabled sentry.kafka.caching.enable</P><P>2. In Sentry configuration deleted kafka group from sentry.service.admin.group, so the configuration is:</P><PRE>root@node1:~# cd `ls -dt /var/run/cloudera-scm-agent/process/*sentry* | head -n1` root@node1:/var/run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER# grep -A 1 -E "sentry.service.(allow.connect|admin.group)" sentry-site.xml &lt;name&gt;sentry.service.admin.group&lt;/name&gt; &lt;value&gt;hive,impala,hue,sudo&lt;/value&gt; -- &lt;name&gt;sentry.service.allow.connect&lt;/name&gt; &lt;value&gt;hive,impala,hue,hdfs,solr,kafka&lt;/value&gt; root@node1:/var/run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER#</PRE><P>&nbsp;</P><P>&nbsp;</P><P>3. Depoly client configuration and restart dependant services</P><P>&nbsp;</P><P>After this steps Kafka started properly, so turning off caching of Sentry privileges was a workaround for me to start Kafka without errors.<BR /><BR />Though I have problems when using kafka-sentry tool:</P><PRE>root@node1:~# kinit isegrim Password for isegrim@TEST.COM: root@node1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: isegrim@TEST.COM Valid starting Expires Service principal 21/06/2017 15:01 22/06/2017 01:01 krbtgt/TEST.COM@TEST.COM renew until 28/06/2017 15:01 root@node1:~# kafka-sentry --config `ls -dt /var/run/cloudera-scm-agent/process/*sentry* | head -n1` -lp -r myrole SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] [2017-06-21 15:02:16,992] ERROR Config key sentry.service.client.server.rpc-address is required (org.apache.sentry.provider.db.generic.tools.SentryShellKafka) java.lang.NullPointerException: Config key sentry.service.client.server.rpc-address is required at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:229) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientDefaultImpl.&lt;init&gt;(SentryGenericServiceClientDefaultImpl.java:123) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory.create(SentryGenericServiceClientFactory.java:31) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.run(SentryShellKafka.java:51) at org.apache.sentry.provider.db.tools.SentryShellCommon.executeShell(SentryShellCommon.java:241) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.main(SentryShellKafka.java:96) The operation failed. Message: Config key sentry.service.client.server.rpc-address is required root@node1:~#</PRE><P>I can't see this configuration option in CM, but I see rpc-address is configured in CDH 5.10 Sentry service configuration, but without explanation what exactly address should it be or I don't see this:<BR /><A href="https://www.cloudera.com/documentation/enterprise/5-10-x/topics/sg_sentry_service_config.html" target="_blank">https://www.cloudera.com/documentation/enterprise/5-10-x/topics/sg_sentry_service_config.html</A></P><P>&nbsp;</P><P>&nbsp;Beside that I have that address set and working:</P><PRE>root@node1:~# grep -A 1 rpc `ls -dt /var/run/cloudera-scm-agent/process/*sentry* | head -n1`/sentry-site.xml &lt;name&gt;sentry.service.server.rpc-address&lt;/name&gt; &lt;value&gt;node1&lt;/value&gt; -- &lt;name&gt;sentry.service.server.rpc-port&lt;/name&gt; &lt;value&gt;8038&lt;/value&gt; root@node1:~# root@node1:~# ps -ef | grep `netstat -anpt | grep LISTEN | grep ':8038' | awk '{print $7}' | awk -F '/' '{print $1}'` sentry 4599 2654 0 14:35 ? 00:00:20 /usr/lib/jvm/java-8-oracle/jre/bin/java -Xmx1000m -Dhadoop.log.dir=/opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/hadoop/logs -Dhadoop.log.file=hadoop.log -Dhadoop.home.dir=/opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/hadoop -Dhadoop.id.str= -Dhadoop.root.logger=INFO,console -Djava.library.path=/opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/hadoop/lib/native -Dhadoop.policy.file=hadoop-policy.xml -Djava.net.preferIPv4Stack=true -Xms268435456 -Xmx268435456 -XX:OnOutOfMemoryError=/usr/lib/cmf/service/common/killparent.sh -Dhadoop.security.logger=INFO,NullAppender org.apache.hadoop.util.RunJar /opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/sentry/lib/sentry-core-common-1.5.1-cdh5.10.0.jar org.apache.sentry.SentryMain --command service --log4jConf /run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER/sentry-log4j.properties -conffile /run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER/sentry-site.xml sentry 4616 4599 0 14:35 ? 00:00:00 python2.7 /usr/lib/cmf/agent/build/env/bin/cmf-redactor /usr/lib/cmf/service/sentry/sentry.sh root@node1:~#</PRE><P>&nbsp;</P><P>One more update, when I run kafka-sentry command when I am logged as kafka user in Kerberos it gives me the same error as before disabling sentry privileges caching in Kafka:</P><PRE>root@node2:~# cd `ls -dt /var/run/cloudera-scm-agent/process/*kafka* | head -n1` root@node2:/var/run/cloudera-scm-agent/process/1445-kafka-KAFKA_BROKER# kinit -kt kafka.keytab kafka/node2@TEST.COM root@node2:/var/run/cloudera-scm-agent/process/1445-kafka-KAFKA_BROKER# kafka-sentry -lp -r zto SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 17/06/21 17:18:09 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 17/06/21 17:18:10 ERROR tools.SentryShellKafka: Access denied to kafka. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$10.handle(SentryGenericPolicyProcessor.java:607) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.list_sentry_privileges_by_role(SentryGenericPolicyProcessor.java:599) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:977) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:962) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$10.handle(SentryGenericPolicyProcessor.java:607) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.list_sentry_privileges_by_role(SentryGenericPolicyProcessor.java:599) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:977) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:962) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.apache.sentry.service.thrift.Status.throwIfNotOk(Status.java:113) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientDefaultImpl.listPrivilegesByRoleName(SentryGenericServiceClientDefaultImpl.java:484) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientDefaultImpl.listPrivilegesByRoleName(SentryGenericServiceClientDefaultImpl.java:494) at org.apache.sentry.provider.db.generic.tools.command.ListPrivilegesByRoleCmd.execute(ListPrivilegesByRoleCmd.java:45) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.run(SentryShellKafka.java:83) at org.apache.sentry.provider.db.tools.SentryShellCommon.executeShell(SentryShellCommon.java:241) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.main(SentryShellKafka.java:96) The operation failed. Message: Access denied to kafka. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$10.handle(SentryGenericPolicyProcessor.java:607) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.list_sentry_privileges_by_role(SentryGenericPolicyProcessor.java:599) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:977) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:962) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) root@node2:/var/run/cloudera-scm-agent/process/1445-kafka-KAFKA_BROKER#</PRE><P><BR /><STRONG>When I add kafka group to Sentry admin groups (sentry.service.admin.group) it looks like everything is working, but only from kerberos logged user kafka:</STRONG></P><PRE>root@node2:~# klist<BR />Ticket cache: FILE:/tmp/krb5cc_0<BR />Default principal: kafka/node2@TEST.COM<BR /><BR />Valid starting&nbsp;&nbsp;&nbsp; Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Service principal<BR />21/06/2017 17:16&nbsp; 22/06/2017 03:16&nbsp; krbtgt/TEST.COM@TEST.COM<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 28/06/2017 17:16<BR />root@node2:~# kafka-sentry -lp -r myrole SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 17/06/21 17:31:46 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable root@node2:~#</PRE> Wed, 21 Jun 2017 15:36:50 GMT Isegrim 2017-06-21T15:36:50Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56173#M63260 <P>Hello,<BR /><BR />I have CDH 5.10.1, KAFKA2.1 (0.10) - all of them kerberized.<BR />I wanted to use sentry with Kafka as this procedure says:<BR /><A href="https://www.cloudera.com/documentation/kafka/latest/topics/kafka_security.html#using_kafka_with_sentry" target="_blank">https://www.cloudera.com/documentation/kafka/latest/topics/kafka_security.html#using_kafka_with_sentry</A><BR /><BR />As procedure says, I've made all 5 pointes and then deploy client configuration and restart depending services and then Kafka did not start, giving error:</P><PRE>2017-06-20 16:01:30,892 ERROR org.apache.sentry.kafka.binding.KafkaAuthBindingSingleton: Unable to create KafkaAuthBinding java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at org.apache.sentry.kafka.binding.KafkaAuthBinding.createAuthProvider(KafkaAuthBinding.java:194) at org.apache.sentry.kafka.binding.KafkaAuthBinding.&lt;init&gt;(KafkaAuthBinding.java:97) at org.apache.sentry.kafka.binding.KafkaAuthBindingSingleton.configure(KafkaAuthBindingSingleton.java:63) at org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.configure(SentryKafkaAuthorizer.java:120) at kafka.server.KafkaServer$$anonfun$startup$3.apply(KafkaServer.scala:211) at kafka.server.KafkaServer$$anonfun$startup$3.apply(KafkaServer.scala:209) at scala.Option.map(Option.scala:146) at kafka.server.KafkaServer.startup(KafkaServer.scala:209) at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37) at kafka.Kafka$.main(Kafka.scala:67) at com.cloudera.kafka.wrap.Kafka$.main(Kafka.scala:76) at com.cloudera.kafka.wrap.Kafka.main(Kafka.scala) Caused by: java.lang.RuntimeException: Failed to get privileges from Sentry to build cache. at org.apache.sentry.provider.db.generic.SentryGenericProviderBackend.initialize(SentryGenericProviderBackend.java:89) at org.apache.sentry.policy.kafka.SimpleKafkaPolicyEngine.&lt;init&gt;(SimpleKafkaPolicyEngine.java:44) ... 16 more Caused by: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$9.handle(SentryGenericPolicyProcessor.java:575) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201)</PRE><P>The same messages are in Setnry log.</P><P>&nbsp;</P><P>I've checked Sentry configuration and there is configured kafka user as one of service users in sentry.service.allow.connect setting.<BR /><BR />kafka is local (not LDAP) user, that has the same uid and gid in Linux on every cluster node.<BR /><BR />Can some one tell me what else should I do to let kafka user to get be allowed to query sentry?</P><P>&nbsp;</P><P>Best Regards</P> Fri, 16 Sep 2022 11:47:31 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56173#M63260 Isegrim 2022-09-16T11:47:31Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56177#M63261 Thats definitely unusual, the sentry.service.allow.connect governs access and would throw that exception you are observing. Can you confirm that you do have the kafka system user as 'kafka' and that there aren't any typos?<BR /><BR />Can you include the sentry stack trace with the exception?<BR /><BR />Additionally, can you run the following, both on the kafka broker and sentry node and confirm they match:<BR />id kafka<BR /><BR />-pd Tue, 20 Jun 2017 16:42:01 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56177#M63261 pdvorak 2017-06-20T16:42:01Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56198#M63262 <P>Hi pdvorak!</P><P>&nbsp;</P><P>Thank you for your fast reply. Yest for me this is also very strange, that is why I've decided to turn to community.</P><P>I have 4 nodes, where node 1 has Sentry Server, and node{2..4} are worker nodes (HDFS DataNode + YARN Node Manager).</P><P>&nbsp;</P><P>id kafka:</P><PRE>isegrim@node1:~$ for i in {1..4}; do ssh node$i "id kafka"; done uid=998(kafka) gid=999(kafka) groups=999(kafka) uid=998(kafka) gid=999(kafka) groups=999(kafka) uid=998(kafka) gid=999(kafka) groups=999(kafka) uid=998(kafka) gid=999(kafka) groups=999(kafka) isegrim@node1:~$</PRE><P><BR />StackTrace:</P><PRE>isegrim@node1:~$ grep '2017-06-20 16:01:30.* ERROR' -A 16 /var/log/sentry/hadoop-cmf-sentry-SENTRY_SERVER-node1.log.out 2017-06-20 16:01:30,840 ERROR org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor: Access denied to kafka org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$9.handle(SentryGenericPolicyProcessor.java:575) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.list_sentry_roles_by_group(SentryGenericPolicyProcessor.java:563) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryGenericPolicyService.java:957) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryGenericPolicyService.java:942) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2017-06-20 16:01:39,091 ERROR org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor: Access denied to kafka org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka isegrim@node1:~$</PRE><P><BR />Confirmation of sentry.service.allow.connect setting:</P><PRE>root@node1:~# cd `ls -dt /var/run/cloudera-scm-agent/process/*sentry* | tail -n1` root@node1:/var/run/cloudera-scm-agent/process/1365-sentry-SENTRY_SERVER# grep -A 1 sentry.service.allow.connect sentry-site.xml &lt;name&gt;sentry.service.allow.connect&lt;/name&gt; &lt;value&gt;hive,impala,hue,hdfs,solr,kafka&lt;/value&gt; root@node1:/var/run/cloudera-scm-agent/process/1365-sentry-SENTRY_SERVER#</PRE><P>&nbsp;</P><P>&nbsp;</P><P>Kafka configuration for sentry (in CM).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kafka.sentry.JPG" style="width: 600px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/3083i638AC34D230BE859/image-size/large?v=v2&amp;px=999" role="button" title="kafka.sentry.JPG" alt="kafka.sentry.JPG" /></span></P><P>&nbsp;</P><P>Kafka configuration - users (in CM).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kafka.user.jpg" style="width: 600px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/3082i08F65659525923FD/image-size/large?v=v2&amp;px=999" role="button" title="kafka.user.jpg" alt="kafka.user.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Sentry configuration -&nbsp;sentry.service.allow.connect (in CM).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sentry.kafka.jpg" style="width: 600px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/3084i06B9889A5E9AEB99/image-size/large?v=v2&amp;px=999" role="button" title="sentry.kafka.jpg" alt="sentry.kafka.jpg" /></span></P><P>I have no idea what have I done wrong or didn't do. Please help.</P><P>&nbsp;</P><P>Best Regards</P><P>&nbsp;</P> Tue, 20 Jun 2017 20:18:21 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56198#M63262 Isegrim 2017-06-20T20:18:21Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56221#M63263 <P>Hi</P><P>&nbsp;</P><P>I've checked the code and made some tests and it looks like Sentry beside sentry.service.allow.connect setting needs also to add group kafka as admin group in sentry.service.admin.group setting, which can be some security problem, because anyone in group kafka will be able to do anything on the cluster.</P><P>&nbsp;</P><P>The method handle() from org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor (from the Kafka and Sentry the stack trace) requests that user should be in one of Sentry admin group, and after I added kafka group Kafka brokers started properly without errors:</P><P>&nbsp;</P><P><A href="https://github.com/cloudera/sentry/blob/cdh5-1.5.1_5.10.0/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java" target="_blank">https://github.com/cloudera/sentry/blob/cdh5-1.5.1_5.10.0/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java</A></P><P>&nbsp;</P><PRE> public Response&lt;Set&lt;TSentryRole&gt;&gt; handle() throws Exception { validateClientVersion(request.getProtocol_version()); Set&lt;String&gt; groups = getRequestorGroups(conf, request.getRequestorUserName()); if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) { //check all groups which requestorUserName belongs to } else { boolean admin = inAdminGroups(groups); //Only admin users can list all roles in the system ( groupname = null) //Non admin users are only allowed to list only groups which they belong to if(!admin &amp;&amp; (request.getGroupName() == null || !groups.contains(request.getGroupName()))) { throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); } groups.clear(); groups.add(request.getGroupName()); }</PRE><P><BR />I don't see sense of adding group kafka to sentry.service.admin.group because as Sentry documentation says:</P><P>&nbsp;</P><P><A href="https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Service+Configuration" target="_blank">https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Service+Configuration</A></P><P><STRONG>sentry.service.admin.group - List of groups allowed to make policy updates</STRONG></P><P>&nbsp;</P><P>And since in kafka group we want only to be the kafka service, which should only check permissions at Sentry, there is no need for write permission to make policy changes, because kafka itself should not do any policy changes.</P><P>&nbsp;</P><P>I've double checked eventual typos but I found none. I've done copy/paste as well as entering "kafka" by finger in every field in CM and restart cluster and deploy client configuration, but the above result was the olny one.</P><P>&nbsp;</P> Wed, 21 Jun 2017 10:39:02 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56221#M63263 Isegrim 2017-06-21T10:39:02Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56230#M63264 <P>Well as far as I can read the code I've cited, there is problem when Kafka wants to list roles, and it want to do this when caching Sentry privileges is enabled.</P><P>&nbsp;</P><P>When I:</P><P>1. In Kafka configuration disabled sentry.kafka.caching.enable</P><P>2. In Sentry configuration deleted kafka group from sentry.service.admin.group, so the configuration is:</P><PRE>root@node1:~# cd `ls -dt /var/run/cloudera-scm-agent/process/*sentry* | head -n1` root@node1:/var/run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER# grep -A 1 -E "sentry.service.(allow.connect|admin.group)" sentry-site.xml &lt;name&gt;sentry.service.admin.group&lt;/name&gt; &lt;value&gt;hive,impala,hue,sudo&lt;/value&gt; -- &lt;name&gt;sentry.service.allow.connect&lt;/name&gt; &lt;value&gt;hive,impala,hue,hdfs,solr,kafka&lt;/value&gt; root@node1:/var/run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER#</PRE><P>&nbsp;</P><P>&nbsp;</P><P>3. Depoly client configuration and restart dependant services</P><P>&nbsp;</P><P>After this steps Kafka started properly, so turning off caching of Sentry privileges was a workaround for me to start Kafka without errors.<BR /><BR />Though I have problems when using kafka-sentry tool:</P><PRE>root@node1:~# kinit isegrim Password for isegrim@TEST.COM: root@node1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: isegrim@TEST.COM Valid starting Expires Service principal 21/06/2017 15:01 22/06/2017 01:01 krbtgt/TEST.COM@TEST.COM renew until 28/06/2017 15:01 root@node1:~# kafka-sentry --config `ls -dt /var/run/cloudera-scm-agent/process/*sentry* | head -n1` -lp -r myrole SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] [2017-06-21 15:02:16,992] ERROR Config key sentry.service.client.server.rpc-address is required (org.apache.sentry.provider.db.generic.tools.SentryShellKafka) java.lang.NullPointerException: Config key sentry.service.client.server.rpc-address is required at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:229) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientDefaultImpl.&lt;init&gt;(SentryGenericServiceClientDefaultImpl.java:123) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory.create(SentryGenericServiceClientFactory.java:31) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.run(SentryShellKafka.java:51) at org.apache.sentry.provider.db.tools.SentryShellCommon.executeShell(SentryShellCommon.java:241) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.main(SentryShellKafka.java:96) The operation failed. Message: Config key sentry.service.client.server.rpc-address is required root@node1:~#</PRE><P>I can't see this configuration option in CM, but I see rpc-address is configured in CDH 5.10 Sentry service configuration, but without explanation what exactly address should it be or I don't see this:<BR /><A href="https://www.cloudera.com/documentation/enterprise/5-10-x/topics/sg_sentry_service_config.html" target="_blank">https://www.cloudera.com/documentation/enterprise/5-10-x/topics/sg_sentry_service_config.html</A></P><P>&nbsp;</P><P>&nbsp;Beside that I have that address set and working:</P><PRE>root@node1:~# grep -A 1 rpc `ls -dt /var/run/cloudera-scm-agent/process/*sentry* | head -n1`/sentry-site.xml &lt;name&gt;sentry.service.server.rpc-address&lt;/name&gt; &lt;value&gt;node1&lt;/value&gt; -- &lt;name&gt;sentry.service.server.rpc-port&lt;/name&gt; &lt;value&gt;8038&lt;/value&gt; root@node1:~# root@node1:~# ps -ef | grep `netstat -anpt | grep LISTEN | grep ':8038' | awk '{print $7}' | awk -F '/' '{print $1}'` sentry 4599 2654 0 14:35 ? 00:00:20 /usr/lib/jvm/java-8-oracle/jre/bin/java -Xmx1000m -Dhadoop.log.dir=/opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/hadoop/logs -Dhadoop.log.file=hadoop.log -Dhadoop.home.dir=/opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/hadoop -Dhadoop.id.str= -Dhadoop.root.logger=INFO,console -Djava.library.path=/opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/hadoop/lib/native -Dhadoop.policy.file=hadoop-policy.xml -Djava.net.preferIPv4Stack=true -Xms268435456 -Xmx268435456 -XX:OnOutOfMemoryError=/usr/lib/cmf/service/common/killparent.sh -Dhadoop.security.logger=INFO,NullAppender org.apache.hadoop.util.RunJar /opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/lib/sentry/lib/sentry-core-common-1.5.1-cdh5.10.0.jar org.apache.sentry.SentryMain --command service --log4jConf /run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER/sentry-log4j.properties -conffile /run/cloudera-scm-agent/process/1442-sentry-SENTRY_SERVER/sentry-site.xml sentry 4616 4599 0 14:35 ? 00:00:00 python2.7 /usr/lib/cmf/agent/build/env/bin/cmf-redactor /usr/lib/cmf/service/sentry/sentry.sh root@node1:~#</PRE><P>&nbsp;</P><P>One more update, when I run kafka-sentry command when I am logged as kafka user in Kerberos it gives me the same error as before disabling sentry privileges caching in Kafka:</P><PRE>root@node2:~# cd `ls -dt /var/run/cloudera-scm-agent/process/*kafka* | head -n1` root@node2:/var/run/cloudera-scm-agent/process/1445-kafka-KAFKA_BROKER# kinit -kt kafka.keytab kafka/node2@TEST.COM root@node2:/var/run/cloudera-scm-agent/process/1445-kafka-KAFKA_BROKER# kafka-sentry -lp -r zto SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 17/06/21 17:18:09 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 17/06/21 17:18:10 ERROR tools.SentryShellKafka: Access denied to kafka. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$10.handle(SentryGenericPolicyProcessor.java:607) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.list_sentry_privileges_by_role(SentryGenericPolicyProcessor.java:599) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:977) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:962) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$10.handle(SentryGenericPolicyProcessor.java:607) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.list_sentry_privileges_by_role(SentryGenericPolicyProcessor.java:599) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:977) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:962) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.apache.sentry.service.thrift.Status.throwIfNotOk(Status.java:113) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientDefaultImpl.listPrivilegesByRoleName(SentryGenericServiceClientDefaultImpl.java:484) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientDefaultImpl.listPrivilegesByRoleName(SentryGenericServiceClientDefaultImpl.java:494) at org.apache.sentry.provider.db.generic.tools.command.ListPrivilegesByRoleCmd.execute(ListPrivilegesByRoleCmd.java:45) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.run(SentryShellKafka.java:83) at org.apache.sentry.provider.db.tools.SentryShellCommon.executeShell(SentryShellCommon.java:241) at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.main(SentryShellKafka.java:96) The operation failed. Message: Access denied to kafka. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to kafka at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$10.handle(SentryGenericPolicyProcessor.java:607) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.list_sentry_privileges_by_role(SentryGenericPolicyProcessor.java:599) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:977) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$list_sentry_privileges_by_role.getResult(SentryGenericPolicyService.java:962) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) root@node2:/var/run/cloudera-scm-agent/process/1445-kafka-KAFKA_BROKER#</PRE><P><BR /><STRONG>When I add kafka group to Sentry admin groups (sentry.service.admin.group) it looks like everything is working, but only from kerberos logged user kafka:</STRONG></P><PRE>root@node2:~# klist<BR />Ticket cache: FILE:/tmp/krb5cc_0<BR />Default principal: kafka/node2@TEST.COM<BR /><BR />Valid starting&nbsp;&nbsp;&nbsp; Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Service principal<BR />21/06/2017 17:16&nbsp; 22/06/2017 03:16&nbsp; krbtgt/TEST.COM@TEST.COM<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 28/06/2017 17:16<BR />root@node2:~# kafka-sentry -lp -r myrole SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.1.1-1.2.1.1.p0.18/lib/kafka/libs/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 17/06/21 17:31:46 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable root@node2:~#</PRE> Wed, 21 Jun 2017 15:36:50 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-starting-kerberized-Kafka-with-Sentry-on-CDH-5-10/m-p/56230#M63264 Isegrim 2017-06-21T15:36:50Z