Transiently kerberos authentication failure with Kafka client application











up vote
0
down vote

favorite












I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



This is my jaas configuration file



KafkaClient {

   com.sun.security.auth.module.Krb5LoginModule required

   useTicketCache=true;

};


here are the java properties I am passing:



-Djavax.security.auth.useSubjectCredsOnly=false

-Dsecurity.protocol=SASL_PLAINTEXT

-Dsasl.kerberos.service.name=HTTP

-Dsasl.mechanism=GSSAPI


And this is the exception I am getting:



Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user

        at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)

        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)

        at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)

        at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)

        at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)

        ... 33 more

Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user

        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


Can somebody please help here.






authentication apache-kafka kerberos jaas







share|improve this question


























    up vote
    0
    down vote

    favorite












    I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



    This is my jaas configuration file



    KafkaClient {
    
   com.sun.security.auth.module.Krb5LoginModule required
    
   useTicketCache=true;
    
};


    here are the java properties I am passing:



    -Djavax.security.auth.useSubjectCredsOnly=false
    
-Dsecurity.protocol=SASL_PLAINTEXT
    
-Dsasl.kerberos.service.name=HTTP
    
-Dsasl.mechanism=GSSAPI


    And this is the exception I am getting:



    Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
    
        at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
    
        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
    
        at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
    
        at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
    
        at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
    
        ... 33 more
    
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
    
        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


    Can somebody please help here.






    authentication apache-kafka kerberos jaas







    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



      This is my jaas configuration file



      KafkaClient {
      
   com.sun.security.auth.module.Krb5LoginModule required
      
   useTicketCache=true;
      
};


      here are the java properties I am passing:



      -Djavax.security.auth.useSubjectCredsOnly=false
      
-Dsecurity.protocol=SASL_PLAINTEXT
      
-Dsasl.kerberos.service.name=HTTP
      
-Dsasl.mechanism=GSSAPI


      And this is the exception I am getting:



      Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      
        at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
      
        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
      
        at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
      
        at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
      
        at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
      
        ... 33 more
      
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      
        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


      Can somebody please help here.






      authentication apache-kafka kerberos jaas







      share|improve this question













      I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



      This is my jaas configuration file



      KafkaClient {
      
   com.sun.security.auth.module.Krb5LoginModule required
      
   useTicketCache=true;
      
};


      here are the java properties I am passing:



      -Djavax.security.auth.useSubjectCredsOnly=false
      
-Dsecurity.protocol=SASL_PLAINTEXT
      
-Dsasl.kerberos.service.name=HTTP
      
-Dsasl.mechanism=GSSAPI


      And this is the exception I am getting:



      Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      
        at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
      
        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
      
        at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
      
        at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
      
        at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
      
        ... 33 more
      
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      
        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


      Can somebody please help here.






      authentication apache-kafka kerberos jaas




      authentication apache-kafka kerberos jaas






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 at 10:29









      learner

      80221436




      80221436
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote













          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer





















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50


















          up vote
          0
          down vote













          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer





















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50















          up vote
          0
          down vote













          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer





















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50













          up vote
          0
          down vote










          up vote
          0
          down vote









          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer












          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 20 at 16:29









          Gery

          1764




          1764












          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50


















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50
















          I am using TicketCache instead of specifying ketab and principal explictly.
          – learner
          Nov 20 at 23:20




          I am using TicketCache instead of specifying ketab and principal explictly.
          – learner
          Nov 20 at 23:20












          Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
          – T-Heron
          Nov 21 at 2:56




          Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
          – T-Heron
          Nov 21 at 2:56












          @learner, then it seems your cache has no valid ticket
          – Gery
          Nov 21 at 8:37




          @learner, then it seems your cache has no valid ticket
          – Gery
          Nov 21 at 8:37












          It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
          – learner
          Nov 21 at 9:32




          It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
          – learner
          Nov 21 at 9:32












          Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
          – Gery
          Nov 21 at 18:50




          Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
          – Gery
          Nov 21 at 18:50












          up vote
          0
          down vote













          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13

















          up vote
          0
          down vote













          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13















          up vote
          0
          down vote










          up vote
          0
          down vote









          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer














          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 24 at 3:05

























          answered Nov 21 at 13:51









          Asteroid

          394




          394












          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13




















          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13


















          Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
          – learner
          Nov 22 at 0:08




          Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
          – learner
          Nov 22 at 0:08












          sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
          – Asteroid
          Nov 23 at 9:16




          sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
          – Asteroid
          Nov 23 at 9:16












          Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
          – learner
          Nov 23 at 9:59




          Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
          – learner
          Nov 23 at 9:59












          I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
          – Asteroid
          Nov 24 at 3:08




          I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
          – Asteroid
          Nov 24 at 3:08












          You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
          – Asteroid
          Nov 29 at 15:13






          You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
          – Asteroid
          Nov 29 at 15:13




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          To store a contact into the json file from server.js file using a class in NodeJS

          Image
          0 I have created three files -contactPresentation.js, contactService.js, contacts.json. I will run the contactService.js file. And it will navigate to contactPresentation.js file that will only choose an option to either add or display a file. If add(), then add the data into add of service file.And the data will be added to the contacts.json file . And if display(), then display the display() of service file. And the display will take the data from contacts.json file. However, i know my code is flawed. Please correct it . I am also getting an error - this.contacts.push(new ContactService(userName, contactNumber, emailId)); ^ TypeError: Cannot read property 'push' of undefined at ContactService.add (e:NodeJSProjectcontactManager2contactService.js:57:23) at new C
          Read more

          Redirect URL with Chrome Remote Debugging Android Devices

          Image
          1 How can i redirect an URL with Chrome Remote Debugging Android Devices? like Requestly Chrome extension on desktop. google-chrome debugging url redirect testing share | improve this question edited Nov 24 '18 at 8:16 sachinjain024 14.7k 23 73 129 asked Nov 23 '18 at 16:09 Momen Momen 91 10
          Read more

          Dieringhausen

          Image
          Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
          Read more