If you mean authorization with kafka (not with kerberos) then yes, seems that kafka stops responding when it doesn't get exactly what it expects :/ no errors just timeouts.
On Thu, Jan 19, 2017 at 8:59 PM, Christian <engr...@gmail.com> wrote: > Thanks for the response Gerrit! It seems like authorization has the same > behavior. Have you experienced that as well? > > On Thu, Jan 19, 2017 at 11:48 AM, Gerrit Jansen van Vuuren < > gerrit...@gmail.com> wrote: > > > Hi, > > > > I've added kerberos support for https://github.com/gerritjvv/kafka-fast > > and > > have seen that the kafka brokers do not send any response if the SASL > > authentication is not correct or accepted, thus causing the client to > hang > > while waiting for a response from kafka. > > > > Some things that might help to debug: > > > > - kafka 0.9's SASL auth is in-compatible with 0.10 and not using the > > correct version will cause the kafka client to hang. > > - use -Dsun.security.krb5.debug=true and > > -Djava.security.debug=gssloginconfig,configfile, > configparser,logincontext > > to see debug info about what's going on. > > > > > > Some reading material can be found at: > > https://github.com/gerritjvv/kafka-fast/blob/master/kafka- > clj/Kerberos.md > > > > and if you want to see or need for testing a vagrant env with kerberos + > > kafka configured see > > https://github.com/gerritjvv/kafka-fast/blob/master/kafka- > > clj/doc/vagrant.md > > > > > > > > > > On Thu, Jan 19, 2017 at 7:37 PM, Christian <engr...@gmail.com> wrote: > > > > > I have successfully gotten SASL_PLAINTEXT configured on Kafka cluster. > We > > > implemented our own LoginModule and Server with the following caveat > > that I > > > am guessing I am doing something wrong. > > > > > > The LoginModule's login method acquires a session id from an internal > > > security system and populates the subject with the relevant > information. > > In > > > the server evaluateResponse we then validate that session. On success, > > > everything is great. However, when the evaulateResponse returns with a > > > failure (throws an exception), the producer client just hangs when > > sending > > > a message until the configured timeout occurs. Interestingly enough, we > > see > > > the evaulateResponse method is getting called about every second until > > the > > > the producer client finally times out. > > > > > > We get this same behavior when using the PlainLoginModule provided with > > > Kafka after changing the password on the client side to something > > different > > > from the server side. > > > > > > Is this expected behavior? > > > > > > Thanks, > > > Christian > > > > > >
