我在使用kerberos的时候,遇到了以下的错误,实在是解决不了,求助!
zookeeper log:
[2016-07-24 02:23:23,935] INFO Accepted socket connection from /10.211.55.5:41176 (org.apache.zookeeper.server.NIOServerCnxnFactory)
[2016-07-24 02:23:23,944] DEBUG Session establishment request from client /10.211.55.5:41176 client's lastZxid is 0x0 (org.apache.zookeeper.server.ZooKeeperServer)
[2016-07-24 02:23:23,944] INFO Client attempting to establish new session at /10.211.55.5:41176 (org.apache.zookeeper.server.ZooKeeperServer)
[2016-07-24 02:23:23,949] DEBUG Processing request:: sessionid:0x15618f30b890001 type:createSession cxid:0x0 zxid:0x424b txntype:-10 reqpath:n/a (org.apache.zookeeper.server.FinalRequestProcessor)
[2016-07-24 02:23:23,950] DEBUG sessionid:0x15618f30b890001 type:createSession cxid:0x0 zxid:0x424b txntype:-10 reqpath:n/a (org.apache.zookeeper.server.FinalRequestProcessor)
[2016-07-24 02:23:23,950] INFO Established session 0x15618f30b890001 with negotiated timeout 6000 for client /10.211.55.5:41176 (org.apache.zookeeper.server.ZooKeeperServer)
[2016-07-24 02:23:23,973] DEBUG Responding to client SASL token. (org.apache.zookeeper.server.ZooKeeperServer)
[2016-07-24 02:23:23,973] DEBUG Size of client SASL token: 573 (org.apache.zookeeper.server.ZooKeeperServer)
[2016-07-24 02:23:23,973] ERROR cnxn.saslServer is null: cnxn object did not initialize its saslServer properly. (org.apache.zookeeper.server.ZooKeeperServer)
[2016-07-24 02:23:24,318] WARN caught end of stream exception (org.apache.zookeeper.server.NIOServerCnxn)
EndOfStreamException: Unable to read additional data from client sessionid 0x15618f30b890001, likely client has closed socket
at org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:228)
at org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:208)
at java.lang.Thread.run(Thread.java:745)
[2016-07-24 02:23:24,318] INFO Closed socket connection for client /10.211.55.5:41176 which had sessionid 0x15618f30b890001 (org.apache.zookeeper.server.NIOServerCnxn)
[2016-07-24 02:23:30,000] INFO Expiring session 0x15618f30b890001, timeout of 6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer)
[2016-07-24 02:23:30,001] INFO Processed session termination for sessionid: 0x15618f30b890001 (org.apache.zookeeper.server.PrepRequestProcessor)
[2016-07-24 02:23:30,004] DEBUG Processing request:: sessionid:0x15618f30b890001 type:closeSession cxid:0x0 zxid:0x424c txntype:-11 reqpath:n/a (org.apache.zookeeper.server.FinalRequestProcessor)
kafka log:
[2016-07-24 02:23:23,954] INFO zookeeper state changed (SyncConnected) (org.I0Itec.zkclient.ZkClient)
[2016-07-24 02:23:23,954] DEBUG Leaving process event (org.I0Itec.zkclient.ZkClient)
[2016-07-24 02:23:23,954] DEBUG ClientCnxn:sendSaslPacket:length=0 (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2016-07-24 02:23:23,955] DEBUG saslClient.evaluateChallenge(len=0) (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2016-07-24 02:23:23,973] ERROR SASL authentication failed using login context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2016-07-24 02:23:23,974] DEBUG Received event: WatchedEvent state:AuthFailed type:None path:null (org.I0Itec.zkclient.ZkClient)
[2016-07-24 02:23:23,974] INFO zookeeper state changed (AuthFailed) (org.I0Itec.zkclient.ZkClient)
[2016-07-24 02:23:23,974] DEBUG Leaving process event (org.I0Itec.zkclient.ZkClient)
[2016-07-24 02:23:23,974] DEBUG Closing ZkClient... (org.I0Itec.zkclient.ZkClient)
[2016-07-24 02:23:23,974] INFO Terminate ZkClient event thread. (org.I0Itec.zkclient.ZkEventThread)
[2016-07-24 02:23:23,974] DEBUG Closing ZooKeeper connected to 10.211.55.5:2181 (org.I0Itec.zkclient.ZkConnection)
[2016-07-24 02:23:23,974] DEBUG Close called on already closed client (org.apache.zookeeper.ZooKeeper)
[2016-07-24 02:23:23,974] DEBUG Closing ZkClient...done (org.I0Itec.zkclient.ZkClient)
[2016-07-24 02:23:23,975] FATAL Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946)
at org.I0Itec.zkclient.ZkClient.waitUntilConnected(ZkClient.java:923)
at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1230)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:156)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:130)
at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:75)
at kafka.utils.ZkUtils$.apply(ZkUtils.scala:57)
at kafka.server.KafkaServer.initZk(KafkaServer.scala:294)
at kafka.server.KafkaServer.startup(KafkaServer.scala:180)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37)
at kafka.Kafka$.main(Kafka.scala:67)
at kafka.Kafka.main(Kafka.scala)
[2016-07-24 02:23:23,978] INFO shutting down (kafka.server.KafkaServer)
[2016-07-24 02:23:23,979] DEBUG Shutting down task scheduler. (kafka.utils.KafkaScheduler)
[2016-07-24 02:23:23,981] INFO shut down completed (kafka.server.KafkaServer)
[2016-07-24 02:23:23,982] FATAL Fatal error during KafkaServerStartable startup. Prepare to shutdown (kafka.server.KafkaServerStartable)
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946)
at org.I0Itec.zkclient.ZkClient.waitUntilConnected(ZkClient.java:923)
at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1230)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:156)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:130)
at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:75)
at kafka.utils.ZkUtils$.apply(ZkUtils.scala:57)
at kafka.server.KafkaServer.initZk(KafkaServer.scala:294)
at kafka.server.KafkaServer.startup(KafkaServer.scala:180)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37)
at kafka.Kafka$.main(Kafka.scala:67)
at kafka.Kafka.main(Kafka.scala)
[2016-07-24 02:23:23,985] INFO shutting down (kafka.server.KafkaServer)
krb5kdc log
Jul 24 02:23:23 weiwei krb5kdc[17652](info): AS_REQ (3 etypes {17 16 23}) 10.211.55.5: ISSUE: authtime 1469298203, etypes {rep=17 tkt=18 ses=17}, kafka/10.211.55.5@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Jul 24 02:23:23 weiwei krb5kdc[17652](info): TGS_REQ (3 etypes {17 16 23}) 10.211.55.5: ISSUE: authtime 1469298203, etypes {rep=17 tkt=18 ses=17}, kafka/10.211.55.5@EXAMPLE.COM for zookeeper/10.211.55.5@EXAMPLE.COM
My configuration is as follows:
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = 10.211.55.5
admin_server = 10.211.55.5
}
[domain_realm]
10.211.55.5 = EXAMPLE.COM
/etc/kafka/kafka_server_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/var/kerberos/krb5kdc/kafka.keytab"
principal="kafka/10.211.55.5@EXAMPLE.COM";
};
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/var/kerberos/krb5kdc/kafka.keytab"
principal="kafka/10.211.55.5@EXAMPLE.COM";
};
kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/weiwei@EXAMPLE.COM
kafka/10.211.55.5@EXAMPLE.COM
kafka/weiwei@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
zookeeper/10.211.55.5@EXAMPLE.COM
JVM:
start the process:
zookeeper:
# ps -ef|grep zookeeper|grep --color=auto /etc/kafka/kafka_server_jaas.conf
root 6172 20094 39 03:02 pts/5 00:00:00 /usr/java/jdk1.8.0_60/bin/java -Xmx512M -Xms512M -server -XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:+DisableExplicitGC -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf -Djava.awt.headless=true -Xloggc:/tools/kafka_2.11-0.10.0.0/bin/../logs/zookeeper-gc.log -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dkafka.logs.dir=/tools/kafka_2.11-0.10.0.0/bin/../logs -Dlog4j.configuration=file:bin/../config/log4j.properties -cp .:/usr/java/jdk1.8.0_60/lib/dt.jar:/usr/java/jdk1.8.0_60/lib/tools.jar:/usr/java/jdk1.8.0_60/bin/java:/tools/kafka_2.11-0.10.0.0/bin/../libs/aopalliance-repackaged-2.4.0-b34.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/argparse4j-0.5.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/connect-api-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/connect-file-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/connect-json-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/connect-runtime-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/guava-18.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/hk2-api-2.4.0-b34.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/hk2-locator-2.4.0-b34.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/hk2-utils-2.4.0-b34.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jackson-annotations-2.6.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jackson-core-2.6.3.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jackson-databind-2.6.3.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jackson-jaxrs-base-2.6.3.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jackson-jaxrs-json-provider-2.6.3.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jackson-module-jaxb-annotations-2.6.3.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/javassist-3.18.2-GA.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/javax.annotation-api-1.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/javax.inject-1.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/javax.inject-2.4.0-b34.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/javax.servlet-api-3.1.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/javax.ws.rs-api-2.0.1.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jersey-client-2.22.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jersey-common-2.22.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jersey-container-servlet-2.22.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jersey-container-servlet-core-2.22.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jersey-guava-2.22.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jersey-media-jaxb-2.22.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jersey-server-2.22.2.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-continuation-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-http-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-io-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-security-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-server-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-servlet-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-servlets-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jetty-util-9.2.15.v20160210.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/jopt-simple-4.9.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka_2.11-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka_2.11-0.10.0.0-sources.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka_2.11-0.10.0.0-test-sources.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka-clients-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka-log4j-appender-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka-streams-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka-streams-examples-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/kafka-tools-0.10.0.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/log4j-1.2.17.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/lz4-1.3.0.jar:/tools/kafka_2.11-0.10.0.0/bin/../libs/metrics-core-2.2.0.jar:/tools/kafka_2.11-0.10.
我的环境:
jdk
java -version
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
系统:
[root@weiwei kafka_2.11-0.10.0.0]# uname -a
Linux weiwei 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
地址
[root@weiwei kafka_2.11-0.10.0.0]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1C:42:E4:B6:1E
inet addr:10.211.55.5 Bcast:10.211.55.255 Mask:255.255.255.0
inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:fee4:b61e/64 Scope:Global
inet6 addr: fe80::21c:42ff:fee4:b61e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:80270 errors:0 dropped:0 overruns:0 frame:0
TX packets:45714 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37037138 (35.3 MiB) TX bytes:7155183 (6.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40532 errors:0 dropped:0 overruns:0 frame:0
TX packets:40532 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2811173 (2.6 MiB) TX bytes:2811173 (2.6 MiB)
virbr0 Link encap:Ethernet HWaddr 52:54:00:56:6D:C8
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
你缺少了一步替换jdk的JCE策略文件,相关文章在:https://www.orchome.com/270
感谢,感谢,是这个问题,1.8也需要重新替换掉原来的JCE策略文件。
1.8的JDK要换成1.8的JCE策略文件吗?
恩,要替换
org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = AuthFailed for /consumers
已经替换了JCE文件,老提示这个报错,不知道哪一步出了问题
您好,我想问一下,那个在 kafka_server_jaas.conf 中 您只配置了 zk的client端,请问一下zk的server端需要配置吗,需要的话一般在哪里配置.....叨扰了
你好,我的JCE文件也替换过了,是JDK是1.8_91的,JCE也是官网下的,但是启动kafkaserver的时候还是报错 no key to store,请问你是怎么解决的,谢谢了!
你可以看下kerberos相关的日志,看看是否有账户没有创建,你要创建这些用户
请问你使用kerberos/sasl设置kafka的安全机制成功了吗?我上面的问题现在解决了,有个新问题,安装官网关于kafka ACL的相关设置,配置好以后,创建的Topic,发现相关权限没起作用 ,对User和IP的设置,没有用,通过控制台的consumer来进行消费的,还望指教!多谢!
成功了,对User和IP的控制权限没起作用,你可以看下是否相关的机制没有启用呢? https://www.orchome.com/185
确保你的consumer所使用的jvm环境和服务器不是同一个(因为jvm你不是添加了kerberos认证嘛,所以你已经有权限了)
非常感谢你的回复,这个问题困扰我好久了,我kafka中server.properties的配置是这样:
zookeeper.set.acl=true ############################ sasl plain ############################## listeners=SASL_PLAINTEXT://test1:9092 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=GSSAPI sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka zookeeper.sasl.client=zkcli authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer super.users=User:kafka然后,我确实是只在一台服务器上做的验证,kafka的server和consumer以及producer也都是在KDC这台机器上启动执行的,请问,是不是这样的,我在test1这台机器上启动kafka的server,同时配置好kerberos认证,我设置ACL中的IP和用户都是test2这台机器上的,然后在test2上执行consumer吗,如果方便的话,能不能麻烦你把你配置kafka 安全认证的文档发给我一份了,非常感谢,398939172@qq.com
客气了,你要在找一台用不同的User去做测试,我的配置 其实和网站上一样的,没有特别的哦。
好的,那我再试下,另外还有个问题要麻烦你,官网中讲到的ACL中的User指的是我们linux操作系统中的系统用户还是类似kafka/test1@HADOOP.COM这个principal 中的kafka用户,这个概念官网我没太看明白,多谢了!
是principal的。不是liunx的。
请问,要创建什么账户?还有kafka官网上,对于kafka客户端的配置是什么意思?
您好。我最近在kerberos上遇到点问题,想请教你。501616942可否加我QQ细聊下。真的被kerberos弄伤了,十分想有个人教教我。
你可以把你的问题在问题专区描述一下,尽量详细,我们会帮助你的
我已经发表了个问题,望大神赐教
我也遇到了这个问题
你好,我用jdk1.7 也替换了jce 还是报相同的错误。有办法解决么?
[2017-03-16 19:56:31,670] FATAL Fatal error during KafkaServerStartable startup. Prepare to shutdown (kafka.server.KafkaServerStartable) org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946) at org.I0Itec.zkclient.ZkClient.waitUntilConnected(ZkClient.java:923) at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1230) at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:156) at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:130) at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:76) at kafka.utils.ZkUtils$.apply(ZkUtils.scala:58) at kafka.server.KafkaServer$$anonfun$initZk$2.apply(KafkaServer.scala:318) at kafka.server.KafkaServer$$anonfun$initZk$2.apply(KafkaServer.scala:316) at scala.Option.foreach(Option.scala:236) at kafka.server.KafkaServer.initZk(KafkaServer.scala:316) at kafka.server.KafkaServer.startup(KafkaServer.scala:200) at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:39) at kafka.Kafka$.main(Kafka.scala:67) at kafka.Kafka.main(Kafka.scala)https://www.orchome.com/500
这是我安装的笔记,你可以参考一下。
你好,麻烦问一下,你里面zk是开启kerberos认证的么?
嗯
你的答案