Kerberos authentication fails when brokers IPs/hostnames are not in client's hosts file (/etc/hosts)

Sun, 01 Sep 2019 19:47:02 -0700 


Hi everyone ! I am adding two adjustments to our Kafka. One is enabling 
Kerberos authentication and the other is changing listeners config to IP 
address instead of hostnames so that client machines are not required to modify 
hosts file (/etc/hosts). The problem is the two adjustments can only work 
separately but when the two are applied at the same time, cluster cannot be 
reached. Below is the error message when I use kafka-console-produce script to 
access Kafka:
09/08/28 10:32:01 ERROR clients.NetworkClient: [Producer 
clientId=console-producer] Connection to node -1 failed authentication due to: 
An error: (java.security.PrivilegedActionException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Server not found in Kerberos 
database (7) - LOOKING_UP_SERVER)]) occurred when evaluating SASL token 
received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED 
state.
19/08/28 10:32:01 ERROR internals.ErrorLoggingCallback: Error when sending 
message to topic test1 with key: null, value: 3 bytes with error:
org.apache.kafka.common.errors.SaslAuthenticationException: An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Server not found in Kerberos database (7) - 
LOOKING_UP_SERVER)]) occurred when evaluating SASL token received from the 
Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Server not found 
in Kerberos database (7) - LOOKING_UP_SERVER)]
        at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
        at 
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$2.run(SaslClientAuthenticator.java:361)
        at 
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$2.run(SaslClientAuthenticator.java:359)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at 
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:359)
        at 
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslClientToken(SaslClientAuthenticator.java:269)
        at 
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:206)
        at 
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:81)
        at 
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:474)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:412)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:481)
        at 
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)
        at 
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)
        at java.lang.Thread.run(Thread.java:748)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server 
not found in Kerberos database (7) - LOOKING_UP_SERVER)
        at 
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
        ... 14 more
Caused by: KrbException: Server not found in Kerberos database (7) - 
LOOKING_UP_SERVER
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
        at 
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
        at 
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
        at 
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
        at 
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
        ... 17 more


My guess is that when using IP addresses for listeners config and not having 
hostname records of the brokers in /etc/hosts, Kafka client constructs a 
service principal name like ‘kafka@<ip-address>@REALM’ (the actual principal 
name should be like ‘kafka@<hostname>@REALM’) for the broker and requests 
corresponding ticket from KDC who does not have this principal in its database 
so LOOKING_UP_SERVER error is raised. Am I right ? And could somebody point out 
what is the right way to do this ? Thanks. P.S., I am using CDK 4.1.0.


| |
张祥
|
|
18133622...@163.com
|
签名由网易邮箱大师定制

Reply via email to