Hi everyone ! I am adding two adjustments to our Kafka. One is enabling
Kerberos authentication and the other is changing listeners config to IP
address instead of hostnames so that client machines are not required to modify
hosts file (/etc/hosts). The problem is the two adjustments can only work
separately but when the two are applied at the same time, cluster cannot be
reached. Below is the error message when I use kafka-console-produce script to
access Kafka:
09/08/28 10:32:01 ERROR clients.NetworkClient: [Producer
clientId=console-producer] Connection to node -1 failed authentication due to:
An error: (java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos
database (7) - LOOKING_UP_SERVER)]) occurred when evaluating SASL token
received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED
state.
19/08/28 10:32:01 ERROR internals.ErrorLoggingCallback: Error when sending
message to topic test1 with key: null, value: 3 bytes with error:
org.apache.kafka.common.errors.SaslAuthenticationException: An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7) -
LOOKING_UP_SERVER)]) occurred when evaluating SASL token received from the
Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - LOOKING_UP_SERVER)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$2.run(SaslClientAuthenticator.java:361)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$2.run(SaslClientAuthenticator.java:359)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:359)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:269)
at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:206)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:81)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:474)
at org.apache.kafka.common.network.Selector.poll(Selector.java:412)
at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:481)
at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
at java.lang.Thread.run(Thread.java:748)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7) - LOOKING_UP_SERVER)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7) -
LOOKING_UP_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
at
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
... 17 more
My guess is that when using IP addresses for listeners config and not having
hostname records of the brokers in /etc/hosts, Kafka client constructs a
service principal name like ‘kafka@<ip-address>@REALM’ (the actual principal
name should be like ‘kafka@<hostname>@REALM’) for the broker and requests
corresponding ticket from KDC who does not have this principal in its database
so LOOKING_UP_SERVER error is raised. Am I right ? And could somebody point out
what is the right way to do this ? Thanks. P.S., I am using CDK 4.1.0.
| |
张祥
|
|
[email protected]
|
签名由网易邮箱大师定制
