QN: 如果我有差异kerberos领域,并且经纪人坐在Linux上,生产者坐在Windows上,如何使用Kerberos启用连接?我有有效的keytab。这是krb5
请在此链接中查看此问题的明确答案。
Connect to Kafka on Unix from Windows with Kerberos
下面的问题是@Samson解释的第三种情况的延续。 回答一些参孙的建议, 在krb5中添加了1个默认域。 2.有一种信任方式。代理域信任我的域。
[libdefaults]
renew_lifetime = 7d
forwardable = false
default_realm = SomeUrl.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
udp_preference_limit = 1
[domain_realm]
.machine.test.group = SomeUrl.COM
machine.test.group = SomeUrl.COM
[realms]
SomeUrl.COM = {
admin_server = SomeUrl.COM
kdc = SomeUrl.COM
}
SomeUrl.com是经纪人所在的地方。
这是该场景的生产者日志。
生产者与代理日志的连接:(我已经编辑了实际的代理名称和IP地址)
7 | 2017-06-14 09:03:49.181 | rdkafka#producer-1 | BROKER | [THRD:应用]:
sasl_plaintext: //some.machine.test.group:9092/bootstrap:添加了NodeId -1的新代理 7 | 2017-06-14 09:03:49.180 | rdkafka#producer-1 | BRKMAIN | [thrd :: 0 / internal] :: 0 / int ernal:输入主经纪人线程 7 | 2017-06-14 09:03:49.227 | rdkafka#producer-1 | STATE | [thrd :: 0 / internal] :: 0 / inter nal:经纪人改变了国家INIT - > UP 7 | 2017-06-14 09:03:49.229 | rdkafka#producer-1 | BRKMAIN | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine。 test.group:9092/bootstrap:输入主代理线程 7 | 2017-06-14 09:03:49.230 | rdkafka#producer-1 | CONNECT | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine。 test.group:9092/bootstrap:在INIT连接状态下的代理 rdkafka#producer-1在KAFKA_MM_L0上生成。退出。
当我尝试发送消息时(
rdkafka#producer-1在KAFKA_MM_L0上生成。退出。 7 | 2017-06-14 09:04:33.625 | rdkafka#producer-1 | CONNECT | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine。 test.group:9092/bootstrap:使用socket 184连接到ipv4#1.1.1.1:9092(sasl_plaintext) 7 | 2017-06-14 09:04:33.627 | rdkafka#producer-1 | STATE | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.te st.group:9092/bootstrap:Broker改变状态INIT - > CONNECT 7 | 2017-06-14 09:04:33.637 | rdkafka#producer-1 | CONNECT | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine。 test.group:9092/bootstrap:连接到ipv4#1.1.1.1:9092 7 | 2017-06-14 09:04:33.637 | rdkafka#producer-1 | CONNECTED | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machin e.test.group:9092/bootstrap:已连接(#1) 7 | 2017-06-14 09:04:33.638 | rdkafka#producer-1 | APIVERSION | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machi ne.test.group:9092/bootstrap:使用(配置回退)0.9.0协议功能 7 | 2017-06-14 09:04:33.640 | rdkafka#producer-1 | FEATURE | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine。 test.group:9092/bootstrap:已将已启用的协议功能更新为BrokerBalancedCo nsumer,ThrottleTime,SASL BrokerGroupCoordinator,LZ4 7 | 2017-06-14 09:04:33.643 | rdkafka#producer-1 | AUTH | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.tes t.group:9092/bootstrap:状态为CONNECT的Auth(不支持握手) 7 | 2017-06-14 09:04:33.645 | rdkafka#producer-1 | STATE | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.te st.group:9092/bootstrap:代理已更改状态CONNECT - > AUTH 7 | 2017-06-14 09:04:33.646 | rdkafka#producer-1 | SASL | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.test.group:9092 / bootstrap:初始化SASL客户端:服务名称kafka,主机名some.machine.test .group,机制GSSAPI 7 | 2017-06-14 09:04:33.665 | rdkafka#producer-1 | SASL | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.test.group:9092 / bootstrap:获取的Kerberos凭证句柄(到期时间为2147483455.928712703s) 7 | 2017-06-14 09:04:33.676 | rdkafka#producer-1 | BROKERFAIL | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machi ne.test.group:9092/bootstrap:失败:错误:本地:身份验证失败:(错误:参数无效)