Kafka Kerberos 启动报错

落樱留独殇 发表于: 2018-04-14   最后更新时间: 2018-04-15 22:03:44   4,103 游览

配置kafka kerberos后,启动报错:

[2018-04-14 15:38:18,296] WARN Client failed to SASL authenticate: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)] (org.apache.zookeeper.server.ZooKeeperServer)
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]
    at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199)
    at org.apache.zookeeper.server.ZooKeeperSaslServer.evaluateResponse(ZooKeeperSaslServer.java:50)
    at org.apache.zookeeper.server.ZooKeeperServer.processSasl(ZooKeeperServer.java:1035)
    at org.apache.zookeeper.server.ZooKeeperServer.processPacket(ZooKeeperServer.java:1008)
    at org.apache.zookeeper.server.NIOServerCnxn.readRequest(NIOServerCnxn.java:384)
    at org.apache.zookeeper.server.NIOServerCnxn.readPayload(NIOServerCnxn.java:211)
    at org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:255)
    at org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:203)
    at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
    ... 8 more
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
    at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:522)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
    ... 11 more
[2018-04-14 15:38:18,297] WARN Closing client connection due to SASL authentication failure. (org.apache.zookeeper.server.ZooKeeperServer)
[2018-04-14 15:38:18,297] INFO Closed socket connection for client /10.1.24.216:34138 which had sessionid 0x162c2b3c52e000f (org.apache.zookeeper.server.NIOServerCnxn)
[2018-04-14 15:38:18,297] WARN Exception causing close of session 0x162c2b3c52e000f due to java.nio.channels.CancelledKeyException (org.apache.zookeeper.server.NIOServerCnxn)
[2018-04-14 15:38:18,399] INFO Session: 0x162c2b3c52e000f closed (org.apache.zookeeper.ZooKeeper)
[2018-04-14 15:38:18,399] INFO EventThread shut down for session: 0x162c2b3c52e000f (org.apache.zookeeper.ClientCnxn)
[2018-04-14 15:38:18,400] FATAL Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.I0Itec.zkclient.exception.ZkTimeoutException: Unable to connect to zookeeper server '10.1.24.216:12181' with timeout of 6000 ms
    at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1233)
    at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:157)
    at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:131)
    at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:103)
    at kafka.utils.ZkUtils$.apply(ZkUtils.scala:85)
    at kafka.server.KafkaServer.initZk(KafkaServer.scala:338)
    at kafka.server.KafkaServer.startup(KafkaServer.scala:191)
    at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:38)
    at kafka.Kafka$.main(Kafka.scala:65)
    at kafka.Kafka.main(Kafka.scala)
[2018-04-14 15:38:18,402] INFO shutting down (kafka.server.KafkaServer)
[2018-04-14 15:38:18,406] INFO shut down completed (kafka.server.KafkaServer)
[2018-04-14 15:38:18,406] FATAL Exiting Kafka. (kafka.server.KafkaServerStartable)
[2018-04-14 15:38:18,408] INFO shutting down (kafka.server.KafkaServer)
[2018-04-14 15:38:27,000] INFO Expiring session 0x162c2b3c52e000f, timeout of 6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer)
[2018-04-14 15:38:27,000] INFO Processed session termination for sessionid: 0x162c2b3c52e000f (org.apache.zookeeper.server.PrepRequestProcessor)

JCE 文件替换了,但是还是报这个错,求助。

发表于 2018-04-14
添加评论

是对应版本吗?替换的

现在可以起来了,但是ACL没起作用,只要通过kerberos认证的用户都可以生产和消费。贴一下配置:
# server.properties
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka

anuthorizer.class.name = kafka.security.auth.SimpleAclAuthorizer

super.users=User:kafka/bd-07
allow.everyone.if.no.acl.found=false

super.users之前写的是kafka,改成kafka/bd-07(kafka_server_jaas.conf 的 principal)好像也没什么影响。之前在测试环境做的时候也出现过这个,https://www.orchome.com/378 当时在评论下面,向这个大神请教了这个问题,但是没有得到回复。现在部署到生产上就是按之前的步骤来的,又遇到这个问题了……还望指点。

用户命名成这样,我没试过,语法不知道能不能认。

问题解决了,anuthorizer.class.name = kafka.security.auth.SimpleAclAuthorizer的单词authorizer拼错了……太粗心了……
super.users又改成kafka了,然后发现kafka/XXXX@EX.COM的用户都可以无限制连接,是不是因为super.users是kafka?
krb5.conf 的配置是这样的:

[domain_realm]
kafka = EX.COM
host = EX.COM
zookeeper = EX.COM
127.0.0.1 = EX.COM
10.1.2.46 = EX.COM
bd005 = EX.COM

不知道我理解的对不对,是不是因为kerberos域里设置了kafka=EX.COM,所以kafka/XXXX@EX.COM形式的用户都被解析成或者被认为是super.users用户?


你确定这个报错是ACL类名写错导致的?这个报的是错误看样子是kerberos加密和JAVA GGSAPI接口支持的加密类型不一致导致的

落樱留独殇 -> 6年前

上面这个错不是因为ACL类名写错导致的,是我在替换JCE文件后,启动kafka出现的,但是我在重启了zookeeper(kafka自带的)之后,这个问题就没有了。ACL类名写错导致的是 kafka ACL 没生效。这个是kerberos认证的问题。

你的答案

查看kafka相关的其他问题或提一个您自己的问题