[jira] [Resolved] (KAFKA-5015) SASL/SCRAM authentication failures are hidden

[Manikumar (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KAFKA-5015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Manikumar resolved KAFKA-5015.
------------------------------
    Resolution: Duplicate

Resolving as duplicate of KAFKA-4764

> SASL/SCRAM authentication failures are hidden
> ---------------------------------------------
>
>                 Key: KAFKA-5015
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5015
>             Project: Kafka
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 0.10.2.0
>            Reporter: Johan Ström
>
> During experimentation with multiple brokers and SCRAM authentication, the 
> brokers didn't seem to connect properly.
> Apparently the receiving server does not log connection failures (and their 
> cause) unless you enable DEBUG logging on 
> org.apache.kafka.common.network.Selector.
> Expected: that the rejected connections is logged (without stack trace) 
> without having to enable DEBUG. 
> (The root cause of my problem was that I hadn't yet added the user to the 
> Zk-backed SCRAM configuration)
> The controller flooded controller.log with WARNs:
> {code}
> [2017-04-05 15:33:42,850] WARN [Controller-1-to-broker-1-send-thread], 
> Controller 1's connection to broker kafka02:9093 (id: 1 rack: null) was 
> unsuccessful (kafka.controller.RequestSendThread)
> java.io.IOException: Connection to kafka02:9093 (id: 1 rack: null) failed
> {code}
> The peer does not log anything in any log, until debugging was enabled:
> {code}
> [2017-04-05 15:28:58,373] DEBUG Accepted connection from /10.10.0.5:43670 on 
> /10.10.0.6:9093 and assigned it to processor 4, sendBufferSize 
> [actual|requested]: [102400|102400] recvBufferSize [actual|requested]: 
> [102400|102400] (kafka.network.Acceptor)
> [2017-04-05 15:28:58,374] DEBUG Processor 4 listening to new connection from 
> /10.10.0.5:43670 (kafka.network.Processor)
> [2017-04-05 15:28:58,376] DEBUG Set SASL server state to HANDSHAKE_REQUEST 
> (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,376] DEBUG Handle Kafka request SASL_HANDSHAKE 
> (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,378] DEBUG Using SASL mechanism 'SCRAM-SHA-512' provided 
> by client 
> (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,381] DEBUG Setting SASL/SCRAM_SHA_512 server state to 
> RECEIVE_CLIENT_FIRST_MESSAGE 
> (org.apache.kafka.common.security.scram.ScramSaslServer)
> [2017-04-05 15:28:58,381] DEBUG Set SASL server state to AUTHENTICATE 
> (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,383] DEBUG Setting SASL/SCRAM_SHA_512 server state to 
> FAILED (org.apache.kafka.common.security.scram.ScramSaslServer)
> [2017-04-05 15:28:58,383] DEBUG Set SASL server state to FAILED 
> (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
> [2017-04-05 15:28:58,385] DEBUG Connection with /10.10.0.5 disconnected 
> (org.apache.kafka.common.network.Selector)
> java.io.IOException: javax.security.sasl.SaslException: Authentication 
> failed: Credentials could not be obtained [Caused by 
> javax.security.sasl.SaslException: Authentication failed: Invalid user 
> credentials]
>       at 
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:250)
>       at 
> org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:71)
>       at 
> org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:350)
>       at org.apache.kafka.common.network.Selector.poll(Selector.java:303)
>       at kafka.network.Processor.poll(SocketServer.scala:494)
>       at kafka.network.Processor.run(SocketServer.scala:432)
>       at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.security.sasl.SaslException: Authentication failed: 
> Credentials could not be obtained [Caused by 
> javax.security.sasl.SaslException: Authentication failed: Invalid user 
> credentials]
>       at 
> org.apache.kafka.common.security.scram.ScramSaslServer.evaluateResponse(ScramSaslServer.java:104)
>       at 
> org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:235)
>       ... 6 more
> Caused by: javax.security.sasl.SaslException: Authentication failed: Invalid 
> user credentials
>       at 
> org.apache.kafka.common.security.scram.ScramSaslServer.evaluateResponse(ScramSaslServer.java:94)
>       ... 7 more
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)