kafka集群启用kerberbos认证和权限验证报错

追风 发表于: 2016-05-03   最后更新时间: 2021-04-09 17:06:01   13,004 游览

kafka集群启用kerberbos认证和权限验证报错
启动kafka报:Caused by: java.lang.IllegalArgumentException: You must pass java.security.auth.login.config in secure mode.

kafka版本:0.9.0.1

目标:在kafka集群启用kerberbos认证和权限验证

kafka服务器已经安装kerberbos server 和 kerberbos client

在kafka根目录下conf/server.propertues配置kerberos认证机制,部分配置如下:

listeners=SASL_PLAINTEXT://cstor01:9092
security.inter.broker.protocol=SASL_PLAINTEXT
advertised.listeners=SASL_PLAINTEXT://cstor01:9092
sasl.kerberos.service.name=kafka

# The port the socket server listens on
port=9092

# Hostname the broker will bind to. If not set, the server will bind to all interfaces
host.name=cstor01

# Hostname the broker will advertise to producers and consumers. If not set, it uses the
# value for "host.name" if configured.  Otherwise, it will use the value returned from
# java.net.InetAddress.getCanonicalHostName().
advertised.host.name=192.168.1.201

启动kafka报错:

./bin/kafka-server-start.sh config/server.properties >> /dev/null &

报错信息如下:

[2016-04-29 18:00:31,965] FATAL Fatal error during KafkaServerStartable startup. Prepare to shutdown (kafka.server.KafkaServerStartable)
org.apache.kafka.common.KafkaException: java.lang.IllegalArgumentException: You must pass java.security.auth.login.config in secure mode.
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:74)
    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:60)
    at kafka.network.Processor.<init>(SocketServer.scala:379)
    at kafka.network.SocketServer$$anonfun$startup$1$$anonfun$apply$1.apply$mcVI$sp(SocketServer.scala:96)
    at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:166)
    at kafka.network.SocketServer$$anonfun$startup$1.apply(SocketServer.scala:95)
    at kafka.network.SocketServer$$anonfun$startup$1.apply(SocketServer.scala:91)
    at scala.collection.Iterator$class.foreach(Iterator.scala:742)
    at scala.collection.AbstractIterator.foreach(Iterator.scala:1194)
    at scala.collection.MapLike$DefaultValuesIterable.foreach(MapLike.scala:206)
    at kafka.network.SocketServer.startup(SocketServer.scala:91)
    at kafka.server.KafkaServer.startup(KafkaServer.scala:179)
    at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37)
    at kafka.Kafka$.main(Kafka.scala:67)
    at kafka.Kafka.main(Kafka.scala)
Caused by: java.lang.IllegalArgumentException: You must pass java.security.auth.login.config in secure mode.
    at org.apache.kafka.common.security.kerberos.Login.login(Login.java:289)
    at org.apache.kafka.common.security.kerberos.Login.<init>(Login.java:104)
    at org.apache.kafka.common.security.kerberos.LoginManager.<init>(LoginManager.java:44)
    at org.apache.kafka.common.security.kerberos.LoginManager.acquireLoginManager(LoginManager.java:85)
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:55)
    ... 14 more

kafka服务器已经安装kerberbos server 和 kerberbos client

在kafka根目录下conf/server.propertues配置kerberos认证机制,部分配置如下:

listeners=SASL_PLAINTEXT://cstor01:9092
security.inter.broker.protocol=SASL_PLAINTEXT
advertised.listeners=SASL_PLAINTEXT://cstor01:9092
sasl.kerberos.service.name=kafka

# The port the socket server listens on
port=9092

# Hostname the broker will bind to. If not set, the server will bind to all interfaces
host.name=cstor01

# Hostname the broker will advertise to producers and consumers. If not set, it uses the
# value for "host.name" if configured.  Otherwise, it will use the value returned from
# java.net.InetAddress.getCanonicalHostName().
advertised.host.name=192.168.1.201

启动kafka报错:

./bin/kafka-server-start.sh config/server.properties >> /dev/null &

报错信息如下:

[2016-04-29 18:00:31,965] FATAL Fatal error during KafkaServerStartable startup. Prepare to shutdown (kafka.server.KafkaServerStartable)
org.apache.kafka.common.KafkaException: java.lang.IllegalArgumentException: You must pass java.security.auth.login.config in secure mode.
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:74)
    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:60)
    at kafka.network.Processor.<init>(SocketServer.scala:379)
    at kafka.network.SocketServer$$anonfun$startup$1$$anonfun$apply$1.apply$mcVI$sp(SocketServer.scala:96)
    at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:166)
    at kafka.network.SocketServer$$anonfun$startup$1.apply(SocketServer.scala:95)
    at kafka.network.SocketServer$$anonfun$startup$1.apply(SocketServer.scala:91)
    at scala.collection.Iterator$class.foreach(Iterator.scala:742)
    at scala.collection.AbstractIterator.foreach(Iterator.scala:1194)
    at scala.collection.MapLike$DefaultValuesIterable.foreach(MapLike.scala:206)
    at kafka.network.SocketServer.startup(SocketServer.scala:91)
    at kafka.server.KafkaServer.startup(KafkaServer.scala:179)
    at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37)
    at kafka.Kafka$.main(Kafka.scala:67)
    at kafka.Kafka.main(Kafka.scala)
Caused by: java.lang.IllegalArgumentException: You must pass java.security.auth.login.config in secure mode.
    at org.apache.kafka.common.security.kerberos.Login.login(Login.java:289)
    at org.apache.kafka.common.security.kerberos.Login.<init>(Login.java:104)
    at org.apache.kafka.common.security.kerberos.LoginManager.<init>(LoginManager.java:44)
    at org.apache.kafka.common.security.kerberos.LoginManager.acquireLoginManager(LoginManager.java:85)
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:55)
    ... 14 more
发表于 2016-05-03
添加评论

你应该是缺少了一步,没有设置启动集群的jvm环境。

-Djava.security.krb5.conf=/etc/kafka/krb5.conf
-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf

把这俩个参数,追加到启动项后面。
位置:bin/kafka-run-class.sh

相关文章参考:https://www.orchome.com/172

追风 -> 半兽人 8年前

这两个怎样加到启动项后面??

無名 -> 追风 8年前

在kafka-run-class.sh里找到这个,这个是我自己的。

# JVM performance options
if [ -z "$KAFKA_JVM_PERFORMANCE_OPTS" ]; then
  KAFKA_JVM_PERFORMANCE_OPTS="-server -XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:+DisableExplicitGC -Djava.security.krb5.conf=/etc/kafka/krb5.conf -Djava.security.auth.login.config=/tools/kafka_2.11-0.9.0.1/kerberos/kafka_server_jaas.conf -Djava.awt.headless=true"
fi
你的答案

查看kafka相关的其他问题或提一个您自己的问题