Kafka启用多个机制进行权限校验,Kerberos校验成功,但是SCRAM和PLAIN报错

阿瑞斯 发表于: 2021-01-13   最后更新时间: 2021-01-13  

Kafka启用多个机制进行权限校验,Kerberos校验成功,但是SCRAM和PLAIN报错

Server端日志:

2021-01-13 09:13:58,985 WARN org.apache.kafka.common.network.Selector: [SocketServer brokerId=30] Unexpected error from /172.18.30.151; closing connection
java.lang.NullPointerException
        at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:450)
        at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:290)
        at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:173)
        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:483)
        at kafka.network.Processor.poll(SocketServer.scala:830)
        at kafka.network.Processor.run(SocketServer.scala:730)
        at java.lang.Thread.run(Thread.java:748)

kafka_server_jaas.conf

KafkaServer {
   org.apache.kafka.common.security.scram.ScramLoginModule required
   username="kafka"
   password="123456";

   org.apache.kafka.common.security.plain.PlainLoginModule required
   username="kafka"
   password="123456"
   user_kafka="123456";

   com.sun.security.auth.module.Krb5LoginModule required
   doNotPrompt=true
   useKeyTab=true
   storeKey=true
   useTicketCache=true
   keyTab="/etc/kafka/kafka.keytab"
   principal="kafka@HADOOP.COM";
};

KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=true
   keyTab="/etc/kafka/kafka.keytab"
   principal="kafka@HADOOP.COM";
};

Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=true
   keyTab="/etc/kafka/kafka.keytab"
   principal="kafka@HADOOP.COM";
};

client_jaas.conf

KafkaClient {
 org.apache.kafka.common.security.plain.PlainLoginModule required
 username="kafka"
 password="123456";
};

但是输出命令报错

kafka-console-producer --broker-list cdh-test01:9092 --producer-property security.protocol=SASL_PLAINTEXT --producer-property sasl.mechanism=PLAIN --topic testAcl


您需要解锁本帖隐藏内容请: 点击这里
本帖隐藏的内容




上一条: kafka与kubernetes做任务分发groupid名字如何固定
下一条: 请问一下,每次服务启动创建不同消费者组的话,对kafka会不会有影响

  • server.properties的配置如下:

    sasl.enabled.mechanisms=GSSAPI,SCRAM-SHA-256,PLAIN
    security.inter.broker.protocol=SASL_PLAINTEXT
    sasl.mechanism.inter.broker.protocol=GSSAPI
    authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
    allow.everyone.if.no.acl.found=true
    advertised.listeners=SASL_PLAINTEXT://cdh-test01:9092
    listeners=SASL_PLAINTEXT://cdh-test01:9092
    sasl.kerberos.service.name=kafka
    
    • Server端的日志如上,Client端的日志:

      21/01/13 10:08:08 WARN clients.NetworkClient: [Producer clientId=console-producer] Connection to node -1 (cdh-test01/172.18.30.151:9092) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.
      

      没有别的错误提示了

        • 上面翻译过来就是3种情况:
          (1)、身份验证失败,原因是使用的broker早于1.0.0版本的凭据无效,
          (2)、防火墙禁止Kafka TLS流量(例如,它可能只允许HTTPS流量)。
          (3)、瞬时网络问题。

          这是客户端连接的错误,如果服务端有问题,客户端自然会失败,要先看broker或相关权限的日志。
          很多做权限的,都是某个步骤没成功,没注意,导致整体失败的。
          我记得文章里每一步,如果设置成功,都会输出特定的成功日志,还有每一步的check方式方法。