On 1/12/23 20:42, Jesus Cea wrote:
I use SASL_SSL. The controller credentials are "wired" in the
configuration, so no "metadata recovery watermark" knowledge should be
necessary:
"""
listener.name.controller.sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
listener.name.controller.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
required \
username="controller" \
password="*EDITED" \
user_controller="*EDITED*";
listener.name.controller.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
required username="*EDITED" password="*EDITED*";
"""
Since I am using SASL_SSL PLAINTEXT for inter-controller authentication,
because https://issues.apache.org/jira/browse/KAFKA-15513 , I just added
the controller's user to "super.users" in the three quorum servers and
the cluster worked again. Then I did a rolling restart of each
controller to retire that "super" permission while not breaking the quorum.
Thinks look good so far.
Any suggestion, beside having the controllers distributed geographically?
Thanks.
Have a nice weekend.
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
j...@jcea.es - https://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
