Ok, so you're trying to enable both SASL authentication (digest) and TLS,
using mTLS for Zookeeper? I'm just trying to understand the bigger
picture. The error you're getting regarding the Sasl token sounds like
either the jaas config on the Kafka broker side is wrong/missing, or the
jaas config on the ZK side is wrong/missing. (you need both - in this case
the broker is the "client" and ZK is the "server"). Are you able to share
the jaas config you're using for both Kafka and ZK? Without seeing that
it's tough to know. Also, to make troubleshooting easier you might want to
leave TLS out of it for now and get SASL working first. (or vice-versa)
On Thu, Nov 9, 2023 at 11:26 PM arjun s v <arjun.cs...@gmail.com> wrote:
> "Digest-MD5 is SASL authentication, so not sure what you mean here."
> If I set zookeeper.sasl.client=true, zookeeper expects a "saslToken" and
> throws the following error,
>
> "SASL authentication failed using login context 'Client' with exception:
> {}" "javax.security.sasl.SaslException: Error in authenticating with a
> Zookeeper Quorum member: the quorum member's saslToken is null.
>
> at
>
> org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:312)
>
> at
>
> org.apache.zookeeper.client.ZooKeeperSaslClient.respondToServer(ZooKeeperSaslClient.java:275)
>
> at
>
> org.apache.zookeeper.ClientCnxn$SendThread.readResponse(ClientCnxn.java:882)
>
> at
> org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:103)
>
> at
>
> org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:365)
>
> at
> org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1223)
>
>
> "Hmm, that config shouldn't have anything to do with TLS. You can set ACL's
>
> with or without TLS encryption. Were you getting an error?"
>
>
> "Fatal error during KafkaServer startup. Prepare to shutdown"
> "java.lang.SecurityException: zookeeper.set.acl is true, but ZooKeeper
> client TLS configuration identifying at least
> kafka.server.KafkaConfig$@7b22ec89.ZkSslClientEnableProp,
> kafka.server.KafkaConfig$@7b22ec89.ZkClientCnxnSocketProp, and
> kafka.server.KafkaConfig$@7b22ec89.ZkSslKeyStoreLocationProp was not
> present and the verification of the JAAS login file failed
> [java.security.auth.login.config=./../config/kafka_server_jaas.conf,
> zookeeper.sasl.client=false, zookeeper.sasl.clientconfig=default:Client]
>
> at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:445)
>
> at kafka.server.KafkaServer.startup(KafkaServer.scala:191)
>
> at kafka.Kafka$.main(Kafka.scala:109)
>
> at kafka.Kafka.main(Kafka.scala)
>
>
> "This was the 2nd result in a google search:
> https://docs.confluent.io/platform/current/security/zk-security.html";
>
> FYKI, I've googled, asked chat gpt, surfed over many zookeeper and kafka
> docs and blog,
> I remember trying the doc you suggested here about 10 days back in the
> initial days of this task!
> About the doc you suggested,
> I cannot configure SSL as I already mentioned, If I skip ssl config part
> from your suggested doc and tried Digest-MD5, I come up "saslToken missing"
> exception which I mentioned above!
> I don't really understand what saslToken is and how to make it get
> generated for Digest auth!
> Please assist!
>
> On Thu, Nov 9, 2023 at 7:15 PM Alex Craig <alexcrai...@gmail.com> wrote:
>
> > " I couldn't find any doc by kafka to enable Digest-MD5 authentication."
> > This was the 2nd result in a google search:
> > https://docs.confluent.io/platform/current/security/zk-security.html
> >
> > " I don't want to enable SASL."
> > Digest-MD5 is SASL authentication, so not sure what you mean here.
> >
> > " If I set zookeeper.set.acl=true, I'm forced to configure TLS."
> > Hmm, that config shouldn't have anything to do with TLS. You can set
> ACL's
> > with or without TLS encryption. Were you getting an error?
> >
> > On Wed, Nov 8, 2023 at 11:35 PM arjun s v <arjun.cs...@gmail.com> wrote:
> >
> > > Team,
> > >
> > > Please consider this as high priority, we need to enable authentication
> > > ASAP. Please assist.
> > > On Tue, Nov 7, 2023 at 4:38 PM arjun s v <arjun.cs...@gmail.com>
> wrote:
> > >
> > > > Hi team,
> > > >
> > > > I'm trying to configure *Digest-MD5* authentication between kafka and
> > > > zookeeper.
> > > > Also I need to set ACL with digest scheme and credentials.
> > > > I don't want to enable SASL.
> > > > I tried to follow this
> > > > <
> > >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > >
> > > doc
> > > > from zookeeper,
> > > >
> > > > - If I configured a jaas file, I have to set
> > > zookeeper.sasl.client=true(if
> > > > not kafka throws error from JaasUtils) which enables sasl
> > > authentication.
> > > > - If I set zookeeper.set.acl=true, I'm forced to configure TLS.
> > > >
> > > > I couldn't find any doc by kafka to enable Digest-MD5 authentication.
> > > > I cannot configure kerberos or TLS, just a Digest-MD5 is sufficient
> for
> > > my
> > > > usecase.
> > > > Please let me know if there are any docs to enable Digest-MD5 auth
> > > between
> > > > kafka and zookeeper.
> > > >
> > > > Regards,
> > > > Arjun S V
> > > >
> > >
> >
>
