Member since
06-27-2020
10
Posts
0
Kudos Received
0
Solutions
05-04-2021
12:08 AM
Hello @BGabor This error "TrustManager is not specified" can be thrown due to some of the following issues - Missing cert files or missing/wrong values for the below configs Make sure following properties are set:- xasecure.policymgr.clientssl.keystore.credential.file=jceks://file/{{credential_file}}
xasecure.policymgr.clientssl.truststore.credential.file=jceks://file/{{credential_file}}
xasecure.policymgr.clientssl.truststore=/path/to/truststore Also came across these Ranger jiras which indicates that the truststore info not specified in cacert or cacert needs to be manually configured. Note - they are fixed in Ranger 2.0.1, so you may also want to check the ranger version. https://issues.apache.org/jira/browse/RANGER-2611 https://issues.apache.org/jira/browse/RANGER-2907
... View more
07-15-2020
10:24 AM
@Shelton I can see Ambari created Headless Keytab but didn't see how this is being used or configured. Any insight on how Headless Keytab configured? Thanks!
... View more
07-14-2020
11:53 AM
@SKL Ambari explicitly configures a series of Kafka settings and creates a JAAS configuration file for the Kafka server. It is not necessary to modify these settings but check the below values in Server.properties Listeners listeners=SASL_PLAINTEXT://kafka01.example.com:6667
listeners=PLAINTEXT://your_host:9092, TRACE://:9091, SASL_PLAINTEXT://0.0.0.0:9093 Advertised.listeners A list of listeners to publish to ZooKeeper for clients to use If advertised.listeners is not set, the value for listeners will be used advertised.listeners=SASL_PLAINTEXT://kafka01.example.com:6667 Security.inter.broker.protocol In a Kerberized cluster, brokers are required to communicate over SASL security.inter.broker.protocol=SASL_PLAINTEXT Principal.to.local.class Transforms the Kerberos principals to their local Unix usernames. principal.to.local.class=kafka.security.auth.KerberosPrincipalToLocal super.users Specifies user accounts that will acquire all cluster permissions these super users have all permissions that would otherwise need to be added through the kafka-acls.sh script super.users=user:developer1;user:analyst1 JAAS Configuration File for the Kafka Server Enabling Kerberos sets up a JAAS login configuration file for the Kafka server to authenticate the Kafka broker against Kerberos. Usually in /usr/hdp/current/kafka-broker/config/kafka_server_jaas.conf KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/home/ec2-user/kafka.service.keytab"
storeKey=true
useTicketCache=false
serviceName="kafka"
principal="kafka/<public_DNS@EXAMPLE.COM";
};
Client { // used for zookeeper connection
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/home/ec2-user/kafka.service.keytab"
storeKey=true
useTicketCache=false
serviceName="zookeeper"
principal="kafka/<public_DNS@EXAMPLE.COM";
}; Setting for the Kafka Producer Ambari usually sets the below key-value pair in the server.properties file if nonexistent please add it: security.protocol=SASL_PLAINTEXT JAAS Configuration File for the Kafka Client This file will be used for any client (consumer, producer) that connects to a Kerberos-enabled Kafka cluster. The file is stored at: /usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf Kafka client configuration with keytab, for producers: KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/home/ec2-user/kafka.service.keytab"
storeKey=true
useTicketCache=false
serviceName="kafka"
principal=""kafka/<public DNS>@EXAMPLE.COM";
}; Kafka client configuration without keytab, for producers: KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
renewTicket=true
serviceName="kafka";
}; Kafka client configuration for consumers: KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
renewTicket=true
serviceName="kafka";
}; Check and set the Ranger policy permissions for kafka and ensure that all the Kafka keytab is executable by Kafka Hope that helps
... View more