Transiently kerberos authentication failure with Kafka client application
up vote
0
down vote
favorite
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
add a comment |
up vote
0
down vote
favorite
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.
This is my jaas configuration file
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
here are the java properties I am passing:
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI
And this is the exception I am getting:
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)
Can somebody please help here.
authentication apache-kafka kerberos jaas
authentication apache-kafka kerberos jaas
asked Nov 20 at 10:29
learner
80221436
80221436
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
0
down vote
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 at 18:50
|
show 2 more comments
up vote
0
down vote
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 at 15:13
|
show 1 more comment
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 at 18:50
|
show 2 more comments
up vote
0
down vote
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 at 18:50
|
show 2 more comments
up vote
0
down vote
up vote
0
down vote
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
principal and keytab are missing in your jaas file.
see https://kafka.apache.org/documentation/#security_sasl_kerberos
answered Nov 20 at 16:29
Gery
1764
1764
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 at 18:50
|
show 2 more comments
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 at 18:50
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 at 23:20
I am using TicketCache instead of specifying ketab and principal explictly.
– learner
Nov 20 at 23:20
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 at 2:56
Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
– T-Heron
Nov 21 at 2:56
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 at 8:37
@learner, then it seems your cache has no valid ticket
– Gery
Nov 21 at 8:37
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 at 9:32
It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
– learner
Nov 21 at 9:32
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 at 18:50
Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
– Gery
Nov 21 at 18:50
|
show 2 more comments
up vote
0
down vote
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 at 15:13
|
show 1 more comment
up vote
0
down vote
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 at 15:13
|
show 1 more comment
up vote
0
down vote
up vote
0
down vote
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
I would like to suggest your few options,
List all the principles in currently cashed keytab and check if they are correct.
If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka
Try setting
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
-Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"
If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI (or PLAIN)
use command as follow for console consumer
kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic
Hope this would help :)
edited Nov 24 at 3:05
answered Nov 21 at 13:51
Asteroid
394
394
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 at 15:13
|
show 1 more comment
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 at 15:13
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 at 0:08
Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
– learner
Nov 22 at 0:08
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 at 9:16
sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
– Asteroid
Nov 23 at 9:16
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 at 9:59
Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
– learner
Nov 23 at 9:59
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 at 3:08
I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
– Asteroid
Nov 24 at 3:08
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 at 15:13
You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
– Asteroid
Nov 29 at 15:13
|
show 1 more comment
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown