Hi Gerrit, I think it's important to distinguish broker and client behaviour. The clients can hang because they keep retrying when they get certain errors. When it comes to the broker, it should give you errors as a general rule. If you are aware of certain scenarios where it should give an error and it doesn't, then please file a bug with steps to reproduce.
Ismael On Thu, Jan 19, 2017 at 6:48 PM, Gerrit Jansen van Vuuren < gerrit...@gmail.com> wrote: > Hi, > > I've added kerberos support for https://github.com/gerritjvv/kafka-fast > and > have seen that the kafka brokers do not send any response if the SASL > authentication is not correct or accepted, thus causing the client to hang > while waiting for a response from kafka. > > Some things that might help to debug: > > - kafka 0.9's SASL auth is in-compatible with 0.10 and not using the > correct version will cause the kafka client to hang. > - use -Dsun.security.krb5.debug=true and > -Djava.security.debug=gssloginconfig,configfile,configparser,logincontext > to see debug info about what's going on. > > > Some reading material can be found at: > https://github.com/gerritjvv/kafka-fast/blob/master/kafka-clj/Kerberos.md > > and if you want to see or need for testing a vagrant env with kerberos + > kafka configured see > https://github.com/gerritjvv/kafka-fast/blob/master/kafka- > clj/doc/vagrant.md > > > > > On Thu, Jan 19, 2017 at 7:37 PM, Christian <engr...@gmail.com> wrote: > > > I have successfully gotten SASL_PLAINTEXT configured on Kafka cluster. We > > implemented our own LoginModule and Server with the following caveat > that I > > am guessing I am doing something wrong. > > > > The LoginModule's login method acquires a session id from an internal > > security system and populates the subject with the relevant information. > In > > the server evaluateResponse we then validate that session. On success, > > everything is great. However, when the evaulateResponse returns with a > > failure (throws an exception), the producer client just hangs when > sending > > a message until the configured timeout occurs. Interestingly enough, we > see > > the evaulateResponse method is getting called about every second until > the > > the producer client finally times out. > > > > We get this same behavior when using the PlainLoginModule provided with > > Kafka after changing the password on the client side to something > different > > from the server side. > > > > Is this expected behavior? > > > > Thanks, > > Christian > > >
