Hi,
I am trying to authenticate with "super" user - admin as per the above
configuration. Is this possible with only "SASL_SSL" listeners? Or should I
have a "PLAIN" listener as well to authenticate with super user account?
Thanks
On Thu, Aug 29, 2019 at 8:43 PM Antony A <antonyaugustus@gmail.com> wrote:
> Hi,
>
> I have configured the brokers and zookeepers as below to enable SSL and
> authentication with SASL/Kerberos. I have tried with and without
> advertised.listeners, advertised.host.name, host.name, port.
>
> *server.properties*
>
> listeners=SASL_SSL://<hostname>:9092
> advertised.listeners=SASL_SSL://<hostname>:9092
>
> advertised.host.name=<hostname>
> host.name=<hostname>
> port=9092
>
> ssl.truststore.location=kafka.server.truststore.jks
> ssl.truststore.password=password
> ssl.keystore.location=kafka.server.keystore.jks
> ssl.keystore.password=password
> ssl.key.password=password
>
> security.inter.broker.protocol=SASL_SSL
> sasl.mechanism.inter.broker.protocol=GSSAPI
> sasl.enabled.mechanisms=GSSAPI
> sasl.kerberos.service.name=HTTP
>
> allow.everyone.if.no.acl.found=true
>
> zookeeper.set.acl=true
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> super.users=User:kafka;User:admin
>
> *zookeeper.properties*
>
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> requireClientAuthScheme=sasl
> jaasLoginRenew=3600000
>
> quorum.auth.enableSasl=true
> quorum.auth.learnerRequireSasl=true
> quorum.auth.serverRequireSasl=true
> quorum.auth.learner.loginContext=QuorumLearner
> quorum.auth.server.loginContext=QuorumServer
> quorum.cnxn.threads.size=20
>
> I have all the brokers and zookeepers configured similarly except for the
> hostname.
>
> Unfortunately I am unable to run my client. Below is error with consumer
>
> kafkacat -b <hostname> -P -X security.protocol=SASL_SSL -X
> sasl.mechanisms=GSSAPI -X sasl.kerberos.keytab=krb5.keytab -X
> sasl.kerberos.service.name=HTTP -X
> sasl.kerberos.principal=HTTP/<hostname>/<domain> -t test -C
>
> % ERROR: Topic test error: Broker: Leader not available
>
> Any suggestions?
>
> Thanks
> AA
>
I am trying to authenticate with "super" user - admin as per the above
configuration. Is this possible with only "SASL_SSL" listeners? Or should I
have a "PLAIN" listener as well to authenticate with super user account?
Thanks
On Thu, Aug 29, 2019 at 8:43 PM Antony A <antonyaugustus@gmail.com> wrote:
> Hi,
>
> I have configured the brokers and zookeepers as below to enable SSL and
> authentication with SASL/Kerberos. I have tried with and without
> advertised.listeners, advertised.host.name, host.name, port.
>
> *server.properties*
>
> listeners=SASL_SSL://<hostname>:9092
> advertised.listeners=SASL_SSL://<hostname>:9092
>
> advertised.host.name=<hostname>
> host.name=<hostname>
> port=9092
>
> ssl.truststore.location=kafka.server.truststore.jks
> ssl.truststore.password=password
> ssl.keystore.location=kafka.server.keystore.jks
> ssl.keystore.password=password
> ssl.key.password=password
>
> security.inter.broker.protocol=SASL_SSL
> sasl.mechanism.inter.broker.protocol=GSSAPI
> sasl.enabled.mechanisms=GSSAPI
> sasl.kerberos.service.name=HTTP
>
> allow.everyone.if.no.acl.found=true
>
> zookeeper.set.acl=true
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
> super.users=User:kafka;User:admin
>
> *zookeeper.properties*
>
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> requireClientAuthScheme=sasl
> jaasLoginRenew=3600000
>
> quorum.auth.enableSasl=true
> quorum.auth.learnerRequireSasl=true
> quorum.auth.serverRequireSasl=true
> quorum.auth.learner.loginContext=QuorumLearner
> quorum.auth.server.loginContext=QuorumServer
> quorum.cnxn.threads.size=20
>
> I have all the brokers and zookeepers configured similarly except for the
> hostname.
>
> Unfortunately I am unable to run my client. Below is error with consumer
>
> kafkacat -b <hostname> -P -X security.protocol=SASL_SSL -X
> sasl.mechanisms=GSSAPI -X sasl.kerberos.keytab=krb5.keytab -X
> sasl.kerberos.service.name=HTTP -X
> sasl.kerberos.principal=HTTP/<hostname>/<domain> -t test -C
>
> % ERROR: Topic test error: Broker: Leader not available
>
> Any suggestions?
>
> Thanks
> AA
>
Comments
Post a Comment