尝试使用Kerberos时出现错误Apache Kafka(0.9)与Apache spark 1.6.3.Zookeeper版本为3.4.5 我必须连接到两个卡夫卡。一个是启用keberos而另一个不启用,所以我没有在spark executor的额外java opts中设置java.security.auth.login.config属性。
Kafka Initialization failed: org.apache.kafka.common.KafkaException: Failed to construct kafka consumer
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:648)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:542)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:524)
at com.spark.receiver.helper.KafkaChannelHelper.initializeConnection(KafkaChannelHelper.java:277)
at com.spark.receiver.helper.KafkaChannelHelper$2.run(KafkaChannelHelper.java:240)
Caused by: org.apache.kafka.common.KafkaException: java.lang.IllegalArgumentException: Could not find a 'KafkaClient' entry in `/home/user/kafka_client.conf`.
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:74)
at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:60)
at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:79)
at org.apache.kafka.clients.consumer.KafkaConsumer.<init>(KafkaConsumer.java:577)
... 4 more
Caused by: java.lang.IllegalArgumentException: Could not find a 'KafkaClient' entry in `/home/user/kafka_client.conf`.
at org.apache.kafka.common.security.kerberos.Login.login(Login.java:294)
at org.apache.kafka.common.security.kerberos.Login.<init>(Login.java:104)
at org.apache.kafka.common.security.kerberos.LoginManager.<init>(LoginManager.java:44)
at org.apache.kafka.common.security.kerberos.LoginManager.acquireLoginManager(LoginManager.java:85)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:55)
... 7 more
java.security.auth.login.config在使用者自己中设置。连接到kafkaConsumer的代码是:
public void initializeConnection() {
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
System.setProperty("java.security.auth.login.config", jassFilePath);
try {
this.consumer = new KafkaConsumer<String, byte[]>(props);
} catch (Exception e) {
LOGGER.error("Kafka Initialization failed: ", e);
}
}
kafka_client.conf仅包含以下部分:
KafkaClient{
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useKeyTab=true
keyTab="/etc/security/keytabs/user.keytab"
storeKey=true
principal="user@REALM"
serviceName="kafka";
};
答案 0 :(得分:1)
在向/从安全环境发布/使用数据之前,应考虑两件事: -
Properties props = new Properties();
props.put("security.protocol", "PLAINTEXTSASL");
java -Djava.security.auth.login.config=/home/kafka-user/kafka-jaas.conf \
-Djava.security.krb5.conf=/etc/krb5.conf \
-Djavax.security.auth.useSubjectCredsOnly=false \
-cp hdp-kafka-sample-1.0-SNAPSHOT.jar:/usr/hdp/current/kafka-broker/libs/* \
hdp.sample.KafkaProducer one.hdp:6667 test
检查secure-kafka-java-producer-with-kerberos以获取完整说明。
答案 1 :(得分:0)
我对kafka 1.11.0有类似的问题。
同一JVM中的监视程序正在访问多个代理,某些代理正在使用SASL Kerberos,而另一些则不安全。
在访问安全群集时,参数是由程序自身添加的。
-Djava.security.auth.login.config=/home/kafka-user/kafka-jaas.conf
但是程序抛出异常:
Could not find a 'KafkaClient' entry in the JAAS configuration. System property 'java.security.auth.login.config' is /path/to/jaas/kafka_client_jaas_usekeytab.conf
奇怪的是,java.security.auth.login.config的设置正确并且文件中的内容还可以。
其他具有单个群集的程序可以正常工作。
卡夫卡官方文件JAAS configuration for Kafka clients说:
Clients may specify JAAS configuration as a producer or consumer property without creating a physical configuration file.
This mode also enables different producers and consumers within the same JVM to use different credentials by specifying different properties for each client.
If both static JAAS configuration system property java.security.auth.login.config and client property sasl.jaas.config are specified, the client property will be used.
另一个问题here说:
他只遇到java.security.auth.login.config时遇到了一些问题。
在程序中提供sasl.jaas.config 和 java.security.auth.login.config。
在这种情况下,我将尝试对其进行验证。