Hi Sebastien, I don't think empty jaas.conf file is a problem here. This file is created just to satisfy some preconditions which check for existence of that file. The actual values are passed in memory.
Usually when I had problems with kerberos it was due to hostname checks. Make sure you use FQDN for kafka brokers. Best, Dawid On 13/09/18 16:17, Aljoscha Krettek wrote: > Hi, > > this definitely needs some investigation! Did you try setting the JAAS > settings in the sasl.jaas.config property as described > in > https://docs.confluent.io/current/kafka/authentication_sasl/index.html#jaas-configurations? > > Best, > Aljoscha > >> On 11. Sep 2018, at 10:08, Sebastien Pereira <spere...@parigo.com >> <mailto:spere...@parigo.com>> wrote: >> >> Hi, >> >> We are using Flink 1.5.3 where the Kafka producer talks with a >> kerberized kafka (kerberos only, no SSL). >> >> It fails to connect to kafka with a root Exception: >> javax.security.auth.callback.UnsupportedCallbackException: Could not >> login: the client is being asked for a password, but the Kafka client >> code does not currently support obtaining a password from the user. >> >> We have the following configuration for kerberos in flink-conf.yaml: >> # ---------------------------------------------- >> security.kerberos.login.use-ticket-cache: false >> security.kerberos.login.keytab: /etc/krb5/flink.keytab >> security.kerberos.login.principal: kafka/the.host.n...@example.com >> <mailto:kafka/the.host.n...@example.com> >> security.kerberos.login.contexts: KafkaClient >> # ---------------------------------------------- >> >> We use >> org.apache.flink.streaming.connectors.kafka.FlinkKafkaProducer011 >> with the following properties for kerberos: >> # ---------------------------------------------- >> security.protocol=SASL_PLAINTEXT >> sasl.kerberos.service.name=kafka >> # ---------------------------------------------- >> >> From job/task managers hosts we can login with the same user which >> runs flink processes, and successfully get a kerberos ticket: >> >> # ---------------------------------------------- >> kubectl exec -it <manager> -- /bin/bash >> $ kinit kafka/hdp-2641.fyre.ibm....@example.com >> <mailto:kafka/hdp-2641.fyre.ibm....@example.com> -k -t >> /etc/krb5/flink.keytab >> >> Done! >> New ticket is stored in cache file /opt/flink/krb5cc_bai >> $ klist >> >> Credentials cache: /opt/flink/krb5cc_bai >> Default principal: kafka/the.host.n...@example.com >> <mailto:kafka/the.host.n...@example.com> >> Number of entries: 1 >> >> [1] Service principal: krbtgt/example....@example.com >> <mailto:krbtgt/example....@example.com> >> Valid starting: Monday, September 10, 2018 at 4:58:29 PM >> Expires: Tuesday, September 11, 2018 at 4:58:29 PM >> # ---------------------------------------------- >> >> However, >> When we check the content of the JAAS file generated in /temp, we see >> no content apart the comments: >> >> /tmp$ cat jaas-4651713797960840940.conf >> /** >> ################################################################################ >> # Licensed to the Apache Software Foundation (ASF) under one >> # or more contributor license agreements. See the NOTICE file >> # distributed with this work for additional information >> # regarding copyright ownership. The ASF licenses this file >> # to you under the Apache License, Version 2.0 (the >> # "License"); you may not use this file except in compliance >> # with the License. You may obtain a copy of the License at >> # >> # http://www.apache.org/licenses/LICENSE-2.0 >> # >> # Unless required by applicable law or agreed to in writing, software >> # distributed under the License is distributed on an "AS IS" BASIS, >> # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or >> implied. >> # See the License for the specific language governing permissions and >> # limitations under the License. >> ################################################################################ >> # We are using this file as an workaround for the Kafka and ZK SASL >> implementation >> # since they explicitly look for java.security.auth.login.config property >> # Please do not edit/delete this file - See FLINK-3929 >> **/ >> >> /tmp$ >> >> - Could you confirm that we should have more in the generated JAAS file? >> - We strongly suspect the UnsupportedCallbackException is caused by >> missing content in the generated JAAS file. >> >> Thanks, >> >> Sebastien Pereira >
signature.asc
Description: OpenPGP digital signature
