尝试连接启用了kerberos的kafka集群时,应用程序间歇性失败

时间:2019-05-13 16:23:34

标签: authentication apache-kafka kerberos

在我们的应用程序中,我们保护了kafka集群,该集群用于审计和异常处理。在完成某些事件后,主应用程序将连接到kafka并发送一条消息。有一个持续运行的使用者实用程序,它从队列接收消息。我们正在使用kerberose来确保安全。

连接到Kafka时,我们遇到了间歇性问题。有时失败,有时通过。有许多正在运行的作业正在将消息发送到Kafka中,并且其中任意一个作业可能在给定的一天内失败。 当尝试重新运行多次时,它会成功。

下面是错误消息。

Connection with broker-hostname/brokerhostip disconnected
javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTH_FAILED state.
    at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:296)
    at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.sendSaslToken(SaslClientAuthenticator.java:213)
    at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:181)
    at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:71)
    at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:350)
    at org.apache.kafka.common.network.Selector.poll(Selector.java:303)
    at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:349)
    at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:225)
    at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:126)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.security.sasl.SaslException: GSS initiate failed
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
    at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$2.run(SaslClientAuthenticator.java:278)
    at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$2.run(SaslClientAuthenticator.java:276)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslToken(SaslClientAuthenticator.java:276)
    ... 9 common frames omitted
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
    at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
    at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
    at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)

以下是我们正在使用的jas配置:

KafkaClient {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  useTicketCache=true
  useKeyTab=true
  keyTab="keytab-file-location"
  renewTicket=true
  serviceName="kafka"
  principal="PRINCIPAL"
  debug=true
  client=true;
};

kafka属性:

bootstrapservers = "server-names"
topic = "topic-name"
securityprotocol = "SASL_PLAINTEXT"
keyserializer = "org.apache.kafka.common.serialization.StringSerializer"
valueserializer = "org.apache.kafka.common.serialization.StringSerializer"

Kerberose可以正常工作,因为主应用程序可以使用相同的配置连接到hadoop集群,而且如上所述,这是一个间歇性问题,因此在大多数情况下都可以工作。

有人可以指导我解决此问题吗?

0 个答案:

没有答案