Transiently kerberos authentication failure with Kafka client application











up vote
0
down vote

favorite












I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



This is my jaas configuration file



KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};


here are the java properties I am passing:



-Djavax.security.auth.useSubjectCredsOnly=false
-Dsecurity.protocol=SASL_PLAINTEXT
-Dsasl.kerberos.service.name=HTTP
-Dsasl.mechanism=GSSAPI


And this is the exception I am getting:



Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
... 33 more
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


Can somebody please help here.










share|improve this question


























    up vote
    0
    down vote

    favorite












    I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



    This is my jaas configuration file



    KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true;
    };


    here are the java properties I am passing:



    -Djavax.security.auth.useSubjectCredsOnly=false
    -Dsecurity.protocol=SASL_PLAINTEXT
    -Dsasl.kerberos.service.name=HTTP
    -Dsasl.mechanism=GSSAPI


    And this is the exception I am getting:



    Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
    at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
    at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
    at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
    ... 33 more
    Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
    at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


    Can somebody please help here.










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



      This is my jaas configuration file



      KafkaClient {
      com.sun.security.auth.module.Krb5LoginModule required
      useTicketCache=true;
      };


      here are the java properties I am passing:



      -Djavax.security.auth.useSubjectCredsOnly=false
      -Dsecurity.protocol=SASL_PLAINTEXT
      -Dsasl.kerberos.service.name=HTTP
      -Dsasl.mechanism=GSSAPI


      And this is the exception I am getting:



      Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
      at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
      at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
      at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
      at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
      ... 33 more
      Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
      at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


      Can somebody please help here.










      share|improve this question













      I am using latest version of kafka and facing issue transiently in connecting my consumer/producer (console) clients to kafka broker over SASL_PLAINTEXT.



      This is my jaas configuration file



      KafkaClient {
      com.sun.security.auth.module.Krb5LoginModule required
      useTicketCache=true;
      };


      here are the java properties I am passing:



      -Djavax.security.auth.useSubjectCredsOnly=false
      -Dsecurity.protocol=SASL_PLAINTEXT
      -Dsasl.kerberos.service.name=HTTP
      -Dsasl.mechanism=GSSAPI


      And this is the exception I am getting:



      Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
      at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:127)
      at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:140)
      at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
      at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
      at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:710)
      ... 33 more
      Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
      at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:940)


      Can somebody please help here.







      authentication apache-kafka kerberos jaas






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 at 10:29









      learner

      80221436




      80221436
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote













          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer





















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50


















          up vote
          0
          down vote













          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer





















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50















          up vote
          0
          down vote













          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer





















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50













          up vote
          0
          down vote










          up vote
          0
          down vote









          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos






          share|improve this answer












          principal and keytab are missing in your jaas file.



          see https://kafka.apache.org/documentation/#security_sasl_kerberos







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 20 at 16:29









          Gery

          1764




          1764












          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50


















          • I am using TicketCache instead of specifying ketab and principal explictly.
            – learner
            Nov 20 at 23:20










          • Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
            – T-Heron
            Nov 21 at 2:56










          • @learner, then it seems your cache has no valid ticket
            – Gery
            Nov 21 at 8:37










          • It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
            – learner
            Nov 21 at 9:32










          • Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
            – Gery
            Nov 21 at 18:50
















          I am using TicketCache instead of specifying ketab and principal explictly.
          – learner
          Nov 20 at 23:20




          I am using TicketCache instead of specifying ketab and principal explictly.
          – learner
          Nov 20 at 23:20












          Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
          – T-Heron
          Nov 21 at 2:56




          Does using TicketCache mean you don't have to specify principal and keytab in your jaas file? Where does it's documentation say you don't have to specify that?
          – T-Heron
          Nov 21 at 2:56












          @learner, then it seems your cache has no valid ticket
          – Gery
          Nov 21 at 8:37




          @learner, then it seems your cache has no valid ticket
          – Gery
          Nov 21 at 8:37












          It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
          – learner
          Nov 21 at 9:32




          It fails transiently only. Also when I face issue with connecting to Kafka my other applications using ticket cache work just fine.
          – learner
          Nov 21 at 9:32












          Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
          – Gery
          Nov 21 at 18:50




          Are you sure your ticket is still valid at the exact time kafka client is failling ? How do you renew your ticket ?
          – Gery
          Nov 21 at 18:50












          up vote
          0
          down vote













          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13

















          up vote
          0
          down vote













          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer























          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13















          up vote
          0
          down vote










          up vote
          0
          down vote









          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)






          share|improve this answer














          I would like to suggest your few options,




          1. List all the principles in currently cashed keytab and check if they are correct.


          2. If you are trying to do any change to a topic using any principle other than KAFKA, that operation will fail. Set -Dsasl.kerberos.service.name=kafka



          3. Try setting



            export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/jaas.conf
            -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true"




          4. If you are using console producer/consumer, you need to provide producer configuration/consumer configuration. Configure the following properties in producer.properties or consumer.properties.



            security.protocol=SASL_PLAINTEXT (or SASL_SSL)
            sasl.mechanism=GSSAPI (or PLAIN)



            use command as follow for console consumer



            kafka-console-consumer --bootstrap-server host:9092 --consumer.config /path/to/consumer.properties --topic Topic




          Hope this would help :)







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 24 at 3:05

























          answered Nov 21 at 13:51









          Asteroid

          394




          394












          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13




















          • Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
            – learner
            Nov 22 at 0:08










          • sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
            – Asteroid
            Nov 23 at 9:16










          • Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
            – learner
            Nov 23 at 9:59










          • I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
            – Asteroid
            Nov 24 at 3:08










          • You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
            – Asteroid
            Nov 29 at 15:13


















          Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
          – learner
          Nov 22 at 0:08




          Thanks for Help. I didn't grasp #2 completely. Client principal will be of the form '<username>/host@REALM' in general so where is this service name is coming up. If it is for kafka server then yes, I am having principal of the form 'HTTP/host@realm' and have set -Dsasl.kerberos.service.name=HTTP in both kafka server and consumer/producer. Am I missing something?
          – learner
          Nov 22 at 0:08












          sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
          – Asteroid
          Nov 23 at 9:16




          sasl.kerberos.service.name should match the name of principle for service kafka. Typically it is set as kafka/host@RELM. And it has full rights to manipulate kafka. If you use any other service name (which does not have full rights to manipulate kafka) then attempting do any change on kafka topics will fail.
          – Asteroid
          Nov 23 at 9:16












          Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
          – learner
          Nov 23 at 9:59




          Kafka server are are also running with HTTP/host@REALM. (have set this property to HTTP in both kafka server as well as producer/consumer)
          – learner
          Nov 23 at 9:59












          I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
          – Asteroid
          Nov 24 at 3:08




          I'm not 100% sure about this but running brokers with HTTP may cause problems due to reason in my 2nd point. Try changing your principle to kafka (If you have created a principle for kafka)
          – Asteroid
          Nov 24 at 3:08












          You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
          – Asteroid
          Nov 29 at 15:13






          You are missing java property -Djava.security.auth.login.config=/path/to/jaas.conf
          – Asteroid
          Nov 29 at 15:13




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53390980%2ftransiently-kerberos-authentication-failure-with-kafka-client-application%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Wiesbaden

          Marschland

          Dieringhausen