Hi, >From Kafka 0.10.2.0, we can configure producer/consumer jaas configuration using "sasl.jaas.config" config property. Using this we can configure different principals.
On Tue, Apr 24, 2018 at 10:58 PM, Zieger, Antoine < antoine.zie...@morganstanley.com> wrote: > Hi, > > I am trying to transfer data between two kerberized kafka clusters. The > brokers are running under different users on both clusters and so, I am > providing a different Kerberos.service.name to consumer and producer. For > security reasons and access management rules in places, having the same > principal on both sides is not possible. Whenever I start my java program I > get the error "principals don't match" > > My understanding is that kafka mirror-maker is doing the same thing and > does not support different principals. (https://community. > hortonworks.com/articles/79891/kafka-mirror-maker-best-practices.html ) > "In kafka 0.9.x and 0.10.0.1, 0.10.1.0, consumers and producers in > mirror-maker cannot run with different principals/keytabs as they both run > inside a single JVM" > > As I understand it this is a Kafka API limitation right? I looked at the > release notes of versions > 0.10.1.0 and didn't see any ticket that > resolved this, unless I missed it? > > By any chance are you aware of a workaround? Or the only solution in case > of two different principals is to have two different JVMs? (one for the > consumer and one for the producer, which means we need some kind of buffer > in between). > > Thanks in advance for your help. > > Antoine > > > ________________________________ > NOTICE: Morgan Stanley is not acting as a municipal advisor and the > opinions or views contained herein are not intended to be, and do not > constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall > Street Reform and Consumer Protection Act. If you have received this > communication in error, please destroy all electronic and paper copies and > notify the sender immediately. Mistransmission is not intended to waive > confidentiality or privilege. Morgan Stanley reserves the right, to the > extent required and/or permitted under applicable law, to monitor > electronic communications, including telephone calls with Morgan Stanley > personnel. This message is subject to the Morgan Stanley General > Disclaimers available at the following link: http://www.morganstanley.com/ > disclaimers. If you cannot access the links, please notify us by reply > message and we will send the contents to you. By communicating with Morgan > Stanley you acknowledge that you have read, understand and consent, (where > applicable), to the foregoing and the Morgan Stanley General Disclaimers. >
