(*#&(*&#($&(Q#Q #EQ$#!@#!!!!
I got it figured out. I really have to read the error message more
carefully! the error is:
Unable to connect: Access denied for user '${file:/app/data/cred/
*connector_credentials.prop*'@'172.x.x.x' (using password: YES)
*The file name was changed from connector_credentials.prop to
connector_credentials.properties!* When I did a ps -aux | grep java. I
saw 2 spids running the distributor, not sure how but there it was. I
killed both, checked all the files to make sure they all say:
connector_credentials.properties. Restarted the distributor and connector
and it is working now.
:bang head on table:
Thanks for your help Chris and Martin.
On Tue, Mar 8, 2022 at 8:01 AM Men Lim <zulu...@gmail.com> wrote:
> HI Martin,
>
> the owner of the file is 'adm.' I have switched to the user 'adm' and is
> executing everything under that credential. Which portion of Chris'
> instruction are you referring to?
>
> thanks,
>
> On Tue, Mar 8, 2022 at 4:13 AM Martin Gainty <mgai...@hotmail.com> wrote:
>
>> Hi Mem
>>
>> UNIX / Linux Find File Owner Name - nixCraft (cyberciti.biz)<
>> https://www.cyberciti.biz/faq/unix-linux-find-file-owner-name/>
>> once you know who created your file
>> file:/app/data/cred/connector_credentials.prop
>> you will need to change credentials as the owner of the file
>>
>> then follow chris' instructions
>>
>> ________________________________
>> From: Chris Egerton <fearthecel...@gmail.com>
>> Sent: Monday, March 7, 2022 4:48 PM
>> To: users@kafka.apache.org <users@kafka.apache.org>
>> Subject: Re: securing sasl/scram username and password in kafka connect
>>
>> It looks like the file config provider isn't actually set up on the
>> Connect
>> worker. What does your Connect worker config look like (usually a file
>> called something like connect-distributed.properties)? Feel free to change
>> any sensitive values to a string like "<redacted>", but please don't
>> remove
>> them entirely (they may be necessary for debugging).
>>
>> On Mon, Mar 7, 2022 at 4:39 PM Men Lim <zulu...@gmail.com> wrote:
>>
>> > Thanks for the response Chris. I went thru the setup again and it
>> appeared
>> > I might have had a typo somewhere last friday. Currently, I'm running
>> into
>> > a file permission issue.
>> >
>> > the file has the following permissions:
>> >
>> > -rw-r--r-- 1 adm admn 88 Mar 7 21:23 connector_credentials.properties
>> >
>> > I have tried changing the pwd to 700 but still the same error:
>> >
>> > Unable to connect: Access denied for user
>> > '${file:/app/data/cred/connector_credentials.prop'@'172.x.x.x' (using
>> > password: YES)
>> >
>> > On Mon, Mar 7, 2022 at 1:55 PM Chris Egerton <fearthecel...@gmail.com>
>> > wrote:
>> >
>> > > Hi Men,
>> > >
>> > > That config snippet has a small syntax error: all double quotes
>> should be
>> > > escaped. Assuming you tried something like this:
>> > >
>> > > "database.history.producer.sasl.jaas.config":
>> > > "org.apache.kafka.common.security.scram.ScramLoginModule required
>> > > username=\"${file:/path/file.pro:user\"} password=\"${file:/path/
>> > file.pro
>> > > :password}\";"
>> > >
>> > > and still ran into issues, we'd probably need to see log files or, at
>> the
>> > > very least, the stack trace for the task from the REST API (if it
>> failed
>> > at
>> > > all) in order to follow up and provide more help.
>> > >
>> > > Cheers,
>> > >
>> > > Chris
>> > >
>> > > On Mon, Mar 7, 2022 at 3:26 PM Men Lim <zulu...@gmail.com> wrote:
>> > >
>> > > > Hi Chris,
>> > > > I was getting an unauthorized/authentication error message when I
>> was
>> > > > trying it out last Friday. I tried looking for the exact message in
>> > the
>> > > > connect.log.* files but was not very successful. In my connector
>> > file, I
>> > > > have
>> > > >
>> > > > {
>> > > > "name":"blah",
>> > > > "config": {
>> > > > ...
>> > > > ...
>> > > > "database.history.producer.sasl.jaas.config":
>> > > > "org.apache.kafka.common.security.scram.ScramLoginModule required
>> > > > username=\"000\" password=\"000000\";",
>> > > > ...
>> > > > }
>> > > > }
>> > > >
>> > > > I changed the database.history.producer.sasl.jaas.config to:
>> > > >
>> > > > "database.history.producer.sasl.jaas.config":
>> > > > "org.apache.kafka.common.security.scram.ScramLoginModule required
>> > > > username="${file:/path/file.pro:user"} password="${file:/path/
>> file.pro
>> > :
>> > > > password}";",
>> > > >
>> > > > On Mon, Mar 7, 2022 at 9:46 AM Chris Egerton <
>> fearthecel...@gmail.com>
>> > > > wrote:
>> > > >
>> > > > > Hi Men,
>> > > > >
>> > > > > The config provider mechanism should work for every property in a
>> > > > connector
>> > > > > config, and every property in a worker config except for the
>> > > plugin.path
>> > > > > property (see KAFKA-9845 [1]). You can also use it for only part
>> of a
>> > > > > single property, or even multiple parts, like in this example
>> > > (assuming a
>> > > > > config provider named "file"):
>> > > > >
>> > > > >
>> > >
>> sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
>> > > > > required username="${file:/some/file.properties:username}"
>> > > > > password="${file:/some/file.properties:password}"
>> > > > >
>> > > > > What sorts of errors are you seeing when trying to use a config
>> > > provider
>> > > > > with sasl/scram credentials?
>> > > > >
>> > > > > [1] - https://issues.apache.org/jira/browse/KAFKA-9845
>> > > > >
>> > > > > Cheers,
>> > > > >
>> > > > > Chris
>> > > > >
>> > > > > On Mon, Mar 7, 2022 at 10:35 AM Men Lim <zulu...@gmail.com>
>> wrote:
>> > > > >
>> > > > > > Hi all,
>> > > > > >
>> > > > > > recently, I found out about
>> > > > > >
>> > > > > > config.providers=file
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider
>> > > > > >
>> > > > > > This works great to remove our embedded database password into
>> an
>> > > > > external
>> > > > > > file. However, it does not work when I tried to do the same
>> thing
>> > > with
>> > > > > the
>> > > > > > sasl/scram username and password found in the distributor or
>> > > connector
>> > > > > file
>> > > > > > for kafka connect:
>> > > > > >
>> > > > > >
>> > > >
>> > sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
>> > > > > > required \
>> > > > > > username="000" password="some_password";
>> > > > > >
>> > > > > > I was wondering if there's a way to secure these passwords as
>> well?
>> > > > > >
>> > > > > > Thanks,
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
