Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to set Kerberos Kafka + Haproxy (Load Balancer)

avatar
author-rank polingsky202
Explorer

Created ‎10-07-2024 10:12 PM

Hello:

How to use HAProxy to connect for Kafka with Kerberos authentication?

I have three kafka brokers, and i try to use haproxy in front of kafka, but kerberos authenticated failed

My haproxy.conf

listen kafka
 bind *:6677
 mode tcp
 balance roundrobin
 server kafka1 kafka-1.kafka.net:6668 check
 server kafka2 kafka-2.kafka.net:6669 check
 server kafka3 kafka-3.kafka.net:6666 check

I also modified

kafka1 server.properties

  • advertised.listeners=INTERNAL://:6667,LB://gateway.kafka.net:6668
  • listeners=INTERNAL://:6667,LB://:6668
  • listener.security.protocol.map=INTERNAL:SASL_PLAINTEXT,LB:SASL_PLAINTEXT
  • inter.broker.listener.name=INTERNAL
  • listener.name.LB.gssapi.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka.service.keytab"principal="kafka/gateway.kafka.net@KAFKA.NET"

kafka2 server.properties

  • advertised.listeners=INTERNAL://:6667,LB://gateway.kafka.net:6669
  • listeners=INTERNAL://:6667,LB://:6669
  • listener.security.protocol.map=INTERNAL:SASL_PLAINTEXT,LB:SASL_PLAINTEXT
  • inter.broker.listener.name=INTERNAL
  • listener.name.LB.gssapi.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka.service.keytab"principal="kafka/gateway.kafka.net@KAFKA.NET";

kafka3 server.properties

  • advertised.listeners=INTERNAL://:6667,LB://gateway.kafka.net:6666
  • listeners=INTERNAL://:6667,LB://:6666
  • listener.security.protocol.map=INTERNAL:SASL_PLAINTEXT,LB:SASL_PLAINTEXT
  • inter.broker.listener.name=INTERNAL
  • listener.name.LB.gssapi.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka.service.keytab"principal="kafka/gateway.kafka.net@KAFKA.NET";

amd use the command 

/usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --topic my-topic --broker-list gateway.kafka.net:6677 --producer-property security.protocol=SASL_PLAINTEXT

 

Will get the error:

[2024-10-08 20:07:58,330] ERROR [Producer clientId=console-producer] Connection to node -1 failed authentication due to: Authentication failed due to invalid credentials with SASL mechanism GSSAPI (org.apache.kafka.clients.NetworkClient)
[2024-10-08 20:07:58,330] ERROR Error when sending message to topic my-topic5 with key: null, value: 0 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)

117 Views
0 Kudos
0 REPLIES 0
Announcements
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
What's New @ Cloudera
Updates to the HDFS clusters on AWS environments to add supp...
What's New @ Cloudera
Enhancements to the create-database command
Community Announcements
September 2024 Community Highlights
View More Announcements