kerberos+acl 发送或消费数据时报LEADER_NOT_AVAILABLE

/kf帅帅他爹 发表于: 2017-03-09   最后更新时间: 2017-03-09 11:17:49   8,103 游览

kafka和zk配置了kerberos认证,然后也添加了acl,但在用producer或consumer发送、消费数据时程序报LEADER_NOT_AVAILABLE的错误,查看了server.log和kafka-authorizer.log没发现异常,相关授权是通过的;又查看了topic的状态,leader是好的,没有异常,处在isr列表中,实在是搞不懂为什么会报leader不能用

发表于 2017-03-09
添加评论

我也遇到这个问题了,后来参考 https://blog.csdn.net/ahzsg1314/article/details/54140909 ,发现没有在broker之间设置ACL访问权限;然后给每一个broker设置一个超级用户就可以了。

sasl.kerberos.service.name=kafka
super.users=User:kafka

升级zookeeper到3.4.9。

我目前的zk版本是3.4.6,前面有一天是可以的,可以的这个情况出现的也很偶然,是我将kafka的日志级别调整为debug后,重启kafka就突然可以了
但第二天将zk和kafka重启后就又不行了,我先试试升级一下zk吧

升级到3.4.9后连acl都加不了了,直接报:

Error while executing ACL command: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl/Topic
org.I0Itec.zkclient.exception.ZkException: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl/Topic
    at org.I0Itec.zkclient.exception.ZkException.create(ZkException.java:68)
    at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:1000)
    at org.I0Itec.zkclient.ZkClient.create(ZkClient.java:527)
    at org.I0Itec.zkclient.ZkClient.createPersistent(ZkClient.java:293)
    at kafka.utils.ZkPath$.createPersistent(ZkUtils.scala:965)
    at kafka.utils.ZkUtils.createParentPath(ZkUtils.scala:437)
    at kafka.utils.ZkUtils.createPersistentPath(ZkUtils.scala:488)
    at kafka.security.auth.SimpleAclAuthorizer.updatePath(SimpleAclAuthorizer.scala:322)
    at kafka.security.auth.SimpleAclAuthorizer.kafka$security$auth$SimpleAclAuthorizer$$updateResourceAcls(SimpleAclAuthorizer.scala:279)
    at kafka.security.auth.SimpleAclAuthorizer$$anonfun$addAcls$1.apply$mcZ$sp(SimpleAclAuthorizer.scala:178)
    at kafka.security.auth.SimpleAclAuthorizer$$anonfun$addAcls$1.apply(SimpleAclAuthorizer.scala:178)
    at kafka.security.auth.SimpleAclAuthorizer$$anonfun$addAcls$1.apply(SimpleAclAuthorizer.scala:178)
    at kafka.utils.CoreUtils$.inLock(CoreUtils.scala:234)
    at kafka.utils.CoreUtils$.inWriteLock(CoreUtils.scala:242)
    at kafka.security.auth.SimpleAclAuthorizer.addAcls(SimpleAclAuthorizer.scala:177)
    at kafka.admin.AclCommand$$anonfun$addAcl$1$$anonfun$apply$3.apply(AclCommand.scala:89)
    at kafka.admin.AclCommand$$anonfun$addAcl$1$$anonfun$apply$3.apply(AclCommand.scala:86)
    at scala.collection.TraversableLike$WithFilter$$anonfun$foreach$1.apply(TraversableLike.scala:733)
    at scala.collection.immutable.Map$Map2.foreach(Map.scala:137)
    at scala.collection.TraversableLike$WithFilter.foreach(TraversableLike.scala:732)
    at kafka.admin.AclCommand$$anonfun$addAcl$1.apply(AclCommand.scala:86)
    at kafka.admin.AclCommand$$anonfun$addAcl$1.apply(AclCommand.scala:80)
    at kafka.admin.AclCommand$.withAuthorizer(AclCommand.scala:74)
    at kafka.admin.AclCommand$.addAcl(AclCommand.scala:80)
    at kafka.admin.AclCommand$.main(AclCommand.scala:48)
    at kafka.admin.AclCommand.main(AclCommand.scala)
Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl/Topic
    at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
    at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
    at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783)
    at org.I0Itec.zkclient.ZkConnection.create(ZkConnection.java:99)
    at org.I0Itec.zkclient.ZkClient$3.call(ZkClient.java:530)
    at org.I0Itec.zkclient.ZkClient$3.call(ZkClient.java:527)
    at org.I0Itec.zkclient.ZkClient.retryUntilConnected(ZkClient.java:990)
    ... 24 more

查了zk的日志,报很多结点没有,很奇怪啊,集群都是正常的:

2017-03-10 15:27:33,735 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@118] - Successfully authenticated client: authenticationID=kafka/tzcdh103@TEST;  authorizationID=kafka/tzcdh103@TEST.
2017-03-10 15:27:33,735 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@134] - Setting authorizedID: kafka/tzcdh103@TEST
2017-03-10 15:27:33,736 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@1024] - adding SASL authorization for authorizationID: kafka/tzcdh103@TEST
2017-03-10 15:27:35,674 [myid:] - INFO  [ProcessThread(sid:0 cport:2181)::PrepRequestProcessor@649] - Got user-level KeeperException when processing sessionid:0x15ab6febb5e0009 type:delete cxid:0x2e zxid:0x40 txntype:-1 reqpath:n/a Error Path:/admin/preferred_replica_election Error:KeeperErrorCode = NoNode for /admin/preferred_replica_election
2017-03-10 15:27:35,734 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /192.168.103.103:15321
2017-03-10 15:27:35,737 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@928] - Client attempting to establish new session at /192.168.103.103:15321
2017-03-10 15:27:35,738 [myid:] - INFO  [SyncThread:0:ZooKeeperServer@673] - Established session 0x15ab6febb5e000a with negotiated timeout 6000 for client /192.168.103.103:15321
2017-03-10 15:27:35,756 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@118] - Successfully authenticated client: authenticationID=kafka/tzcdh103@TEST;  authorizationID=kafka/tzcdh103@TEST.
2017-03-10 15:27:35,756 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@134] - Setting authorizedID: kafka/tzcdh103@TEST
2017-03-10 15:27:35,756 [myid:] - INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@1024] - adding SASL authorization for authorizationID: kafka/tzcdh103@TEST
2017-03-10 15:27:35,875 [myid:] - INFO  [ProcessThread(sid:0 cport:2181)::PrepRequestProcessor@649] - Got user-level KeeperException when processing sessionid:0x15ab6febb5e0009 type:create cxid:0x3a zxid:0x42 txntype:-1 reqpath:n/a Error Path:/brokers Error:KeeperErrorCode = NodeExists for /brokers
2017-03-10 15:27:35,875 [myid:] - INFO  [ProcessThread(sid:0 cport:2181)::PrepRequestProcessor@649] - Got user-level KeeperException when processing sessionid:0x15ab6febb5e0009 type:create cxid:0x3b zxid:0x43 txntype:-1 reqpath:n/a Error Path:/brokers/ids Error:KeeperErrorCode = NodeExists for /brokers/ids

之前遇到过一次,重启后会不正常,最后查出来是zookeeper版本低。
现象是第一次是ok的,之后重启后就不正常了,无限的刷LEADER_NOT_AVAILABLE。

你的答案

查看kafka相关的其他问题或提一个您自己的问题