Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

ConsumeKafka processor's NiFi can't communicate with Kafka in kerberized cluster

Labels:
avatar
author-rank ururu
Rising Star

Created ‎01-17-2019 02:54 PM

Hello,

I have enable kerberos on cluster. I can successfully connect to consumer through kafka-konsole-consumer.

But when i try to connect to topic through NiFi ConsumeKafka processor i have error:

WARN [Timer-Driven Process Thread-8] o.a.n.p.kafka.pubsub.ConsumeKafka_1_0 ConsumeKafka_1_0[id=504e5811-0168-1000-0000-000024c83cc5] Was interrupted while trying to communicate with Kafka with lease org.apache.nifi.processors.kafka.pubsub.ConsumerPool$SimpleConsumerLease@51911c24. Will roll back session and discard any partially received data.   WARN [kafka-kerberos-refresh-thread-nifi/*@*] o.a.k.c.security.kerberos.KerberosLogin [Principal=nifi/*@*]: TGT renewal thread has been interrupted and will exit.

7,671 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎01-22-2019 07:51 PM

@ Ruslan Fialkovsky

Can you log on both cluster as zookeeper run kinit then 

$ /usr/hdp/current/zookeeper-server/bin/zkCli.sh
[zk: localhost:2181(CONNECTED) 0] getAcl /config/topics

Compare the outputs there should be a difference between the 2 cluster

sample output

[zk: localhost:2181(CONNECTED) 1] getAcl /config/topics
'world,'anyone 
: r 
'sasl,'kafka 
: cdrwa

And on the other

[zk: localhost:2181(CONNECTED) 1] getAcl /config/topics 
'world,'anyone 
: cdrwa

If that's the case have a look at how to set the correct ACL for the /config/topics in this HCC document

Please let me know

View solution in original post

7,161 Views
16 REPLIES 16

avatar
author-rank ururu
Rising Star

Created ‎01-23-2019 09:45 AM

@Geoffrey Shelton Okot

Can i remove zookeeper's trees? Will they be recreate after deleting with right permission?

3,635 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎01-23-2019 08:19 AM

@ Ruslan Fialkovsky

Can you compare these files on both cluster, if it doesn't exist on the DEV then create them with correct owner and privileges

Kafka

/etc/kafka/conf/kafka_client_jaas.conf 
/etc/kafka/conf/kafka_jaas.conf

Zookeeper

/etc/zookeeper/conf/zookeeper_jaas.conf
/etc/zookeeper/conf/zookeeper_client_jaas.conf

After updating these files restart the zk and Kafka and retry

HTH

3,635 Views
0 Kudos

avatar
author-rank ururu
Rising Star

Created ‎01-23-2019 08:44 AM

@Geoffrey Shelton Okot

I compared files, yes their exists and the same.

3,635 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎01-23-2019 10:07 AM

@ Ruslan Fialkovsky

Logon to Zk on DEV and PROD Check whether you have child znodes under 

 ls /config/topics

Validate that you have Kerberos entries in /etc/nifi/conf/nifi_jaas.conf

example 

NiFiClient { 
    com.sun.security.auth.module.Krb5LoginModule required 
    useKeyTab=true keyTab="/etc/security/keytabs/nifi.service.keytab" 
    storeKey=true 
    useTicketCache=false 
    principal="nifi/{kdc_host}@REALM"; 
}; 
RegistryClient { 
    com.sun.security.auth.module.Krb5LoginModule required 
    useKeyTab=true keyTab="/etc/security/keytabs/nifi.service.keytab" 
    storeKey=true 
    useTicketCache=false 
    principal="nifi/{kdc_host}@REALM";

Please revert

3,635 Views
0 Kudos

avatar
author-rank ururu
Rising Star

Created ‎01-23-2019 01:17 PM

@Geoffrey Shelton Okot

Yes i have

ls /config/topics
[test1]
NiFiClient {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/security/keytabs/nifi.service.keytab"
  storeKey=true
  useTicketCache=false
  principal="nifi/host@RAIFFEISEN.RU";
};
RegistryClient {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/security/keytabs/nifi.service.keytab"
  storeKey=true
  useTicketCache=false
  principal="nifi/host@RAIFFEISEN.RU";
3,635 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎01-23-2019 04:55 PM

@Ruslan Fialkovsky

I think the topics created before changing the ACL's don't inherit the permissions. From the znode entry, I see you have one topic called test.

To validate can you create a new topic and ensure you change them in your Nifi flow files and retest! Normally if you run rmr in zookeeper CLI the entry deleted should be created but I am not sure for Kafka topics.

Please revert

3,635 Views
0 Kudos

avatar
author-rank ururu
Rising Star

Created on ‎02-04-2019 04:11 PM - edited ‎08-17-2019 02:58 PM

@Geoffrey Shelton Okot

Thank you, you are right, the problem was really in zookeeper's acl.

I copied everything in "ZooKeeper directory" from Test cluster to Dev cluster and that was help. But i don't know what exactly permission affected it. Is something way to get list all acl permission by Zookeeper? I would like to compare it with all acl from both cluster.

101381-capture.jpg

3,635 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements