Hello,
I am having an issue with kerberos auth when one of my brokers is lost and
is replaced by a new instance the running brokers/consumers/producers are
still trying to use the authentication information for the original broker
to login to the new broker. This leaves me in a state of constantly failing
to authenticate until all brokers/consumers/producers are restarted and
then the load in the new broker information and everything is fine.
I am wondering if there is a way to force kafka brokers/consumers/producers
to expire the credentials they save for brokers after a period of time so
they can connect to the new instance. If there is another better way to fix
that this that would be great as well.
I have tried setting expiration times in /etc/krb5.conf however it doesn't
seem like kafka is honoring them. I have also tried different jaas.conf but
they don't seem to work. I haven't gotten one without storeKey=true to work
which would in theory solve my problem. This is my current jaas config.
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/krb5.keytab"
principal="kafka2$";
};
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/krb5.keytab"
serviceName="kafka"
principal="kafka2$";
};
Tyler Monahan
