1

I have successfully setup SASL PLAIN and PLAINTEXT security for Kafka brokers, in a sense that clients cannot consume or produce successfully without providing kafka_client_jaas.conf with valid username and password credentials, due to authentication failure.

However, I cannot do the same for Zookeeper, so that for example kafka_topics.sh successfully connects to Zookeeper, without having KAFKA_OPTS setting java.security.auth.login.config that would point to any jaas.conf file. I imagined it would have to point to same kafka_client_jaas.conf as console consumers and producers, since there is a Client section defined for authentication to Zookeeper. I added following three lines to zookeeper.properties file (I don't know what is the third line used for):

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000

I created zookeeper_jaas.conf (defining Server section) and started Zookeeper with KAFKA_OPTS pointing to it, and added Client section to kafka_server_jaas.conf so that brokers authenticate properly to Zookeeper, pretty much as described here:

Kafka SASL zookeeper authentication

but I cannot provoke authentication failure when running kafka_topics.sh, as already mentioned. Where did I go wrong?

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
hdjur_jcv
  • 686
  • 1
  • 12
  • 30
  • If you provide `KAFKA_OPTS` along with the `kafka-topics`, then it authenticates... I'm not understanding the problem – OneCricketeer Sep 15 '18 at 23:13
  • The problem is that it authenticates somehow also when I unset KAFKA_OPTS in the shell from where I run kafka-topics. – hdjur_jcv Sep 16 '18 at 09:32
  • Hi, I'm having the same problem here. I've configured Zookeeper's Server to Server authentication with SASL and works, but Client to Server, isn't. Any Zookeeper client can connect to the cluster. – PRF Nov 19 '18 at 19:46

0 Answers0