Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kafka consumer problem on kerberos enabled cluster

Labels:
avatar
author-rank mattyy_007
New Member

Created ‎09-07-2016 12:02 PM

Hi everybody,

I have some problem in consuming from topic on a Kerberos enabled cluster. On the cluster is HDP-2.3.2 (with Kafka 0.8.2).

I can read the data from the topic but when my consumer tries to commit offsets I get the following exception. I tried to authorize my consumer but even the documentation isn't clear about it (first it says that you need READ and DESCRIBE permission but then gives READ and CREATE, on an other topic that mentions before).

2016-09-07 12:23:50 ERROR ZookeeperConsumerConnector:103 - [anp-testgroup_mybroker.host.com-1473243827746-c4749523], exception during autoCommit:
org.I0Itec.zkclient.exception.ZkException: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /consumers/anp-testgroup/offsets/anp_test/0
        at org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)
        at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:981)
        at org.I0Itec.zkclient.ZkClient.writeDataReturnStat(ZkClient.java:1121)
        at org.I0Itec.zkclient.ZkClient.writeData(ZkClient.java:1116)
        at org.I0Itec.zkclient.ZkClient.writeData(ZkClient.java:1085)
        at kafka.utils.ZkUtils$.updatePersistentPath(ZkUtils.scala:417)
        at kafka.consumer.ZookeeperConsumerConnector.commitOffsetToZooKeeper(ZookeeperConsumerConnector.scala:304)
        at kafka.consumer.ZookeeperConsumerConnector$$anonfun$5.apply(ZookeeperConsumerConnector.scala:338)
        at kafka.consumer.ZookeeperConsumerConnector$$anonfun$5.apply(ZookeeperConsumerConnector.scala:337)
        at scala.collection.immutable.Map$Map4.foreach(Map.scala:181)
        at kafka.consumer.ZookeeperConsumerConnector.commitOffsets(ZookeeperConsumerConnector.scala:337)
        at kafka.consumer.ZookeeperConsumerConnector.commitOffsets(ZookeeperConsumerConnector.scala:324)
        at kafka.consumer.ZookeeperConsumerConnector.autoCommit(ZookeeperConsumerConnector.scala:292)
        at kafka.consumer.ZookeeperConsumerConnector$$anonfun$1.apply$mcV$sp(ZookeeperConsumerConnector.scala:146)
        at kafka.utils.KafkaScheduler$$anonfun$1.apply$mcV$sp(KafkaScheduler.scala:108)
        at kafka.utils.CoreUtils$$anon$1.run(CoreUtils.scala:60)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /consumers/anp-testgroup/offsets/anp_test/0
        at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
        at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
        at org.apache.zookeeper.ZooKeeper.setData(ZooKeeper.java:1270)
        at org.I0Itec.zkclient.ZkConnection.writeDataReturnStat(ZkConnection.java:126)
        at org.I0Itec.zkclient.ZkClient$14.call(ZkClient.java:1125)
        at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:971)
        ... 21 more

Any advice on what can cause the problem.

Thanks!

9,476 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank mkumar2
New Member

Created ‎09-07-2016 02:35 PM

looks like issue is related to ZooKeeper permissions. You can try by creating new consumer group. we can use bin/zookeeper-shell.sh to verify the acl on znodes.

View solution in original post

6,488 Views
0
3 REPLIES 3

avatar
author-rank mkumar2
New Member

Created ‎09-07-2016 02:35 PM

looks like issue is related to ZooKeeper permissions. You can try by creating new consumer group. we can use bin/zookeeper-shell.sh to verify the acl on znodes.

6,489 Views
0

avatar
author-rank mattyy_007
New Member

Created ‎09-08-2016 08:28 AM

Thanks @mkumar. I verified the acl-s and just the kafka service had "cdrwa" authorization anyone else just "r". I set it "cdrwa" to anyone and the problem disappeared. But it's weird that by using the kafka authorizer(kafka-acls.sh) you can't resolve this.

6,488 Views
0 Kudos

avatar
author-rank mkumar2
New Member

Created ‎09-08-2016 09:06 AM

Hi,

kafka-acls.sh script is used to create the ACLs for kafka users. It's not used for zookeeper acl.

As per design, Only broker users can modify the zookeeper nodes, Others can only read the zk nodes. This is to improve security around zookeeper.

You can also use new consumer API, which does not depend Zookeeper. It is available in HDP 2.5.

ps: you can upvote, If you are satisfied with my answer

6,488 Views
0 Kudos
Announcements
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
Join Us at CommunityOverCode Asia 2025: Exploring the Future...
View More Announcements