1

I could able to do DIGEST-MD5 authentication with kafka broker and embedded zookeeper which is given by Kafka but I was getting following error message while doing DIGEST-MD5 authentication with Kafka broker and non embedded zookeeper (separate zookeeper instance).

Please find below is the error message:

[2018-11-05 19:44:21,536] ERROR SASL authentication failed using login context 'Client' with exception: {} (org.apache.zookeeper.client.ZooKeeperSaslClient)

javax.security.sasl.SaslException: Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null.

org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = AuthFailed for /consumers
Giorgos Myrianthous
  • 36,235
  • 20
  • 134
  • 156
Ashok Kuramdasu
  • 313
  • 4
  • 15

1 Answers1

4

What your jaas files look like ?

For Zookeeper cluster, you must have three sections in zookeeper jaas file : Server, QuorumServer and QuorumLearner

QuorumServer and QuorumLearner sections are used to authenticate zookeeper servers to each other. See example of configuration here in §DIGEST-MD5 based authentication

Server section is used to authenticate kafka brokers. It should contains kafka username and password formatted as shown here in §Server Configuration/ JAAS configuration file: DIGEST-MD5 authentication

Your Kafka jaas file should have a Client section with a username and a password as shown here in §Client Configuration / JAAS configuration file: DIGEST-MD5 authentication

Finally, check that you are using correct environment variable for zookeeper jaas file :

SERVER_JVMFLAGS="-Djava.security.auth.login.config=/path/to/server/jaas/file.conf"

Embedded zookeeper uses KAFKA_OPTS

Gery
  • 609
  • 4
  • 9
  • Now I have enabled authorization and While creating topic getting the error i.e., Error while executing topic command : KeeperErrorCode = NoAuth for /config/topics/test ERROR org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test – Ashok Kuramdasu Nov 06 '18 at 15:31
  • Seems good, you don't have access to your topic, you can now play with [acl](https://kafka.apache.org/documentation/#security_authz). You will have to do export KAFKA_OPTS="-Djava.security.auth.login.config=admin_jaas.conf" with a jaas file containing a Client section before using kafka-acls.sh – Gery Nov 07 '18 at 10:18
  • Same thing I have done then it's working fine and if I use two zookeepers then what are the problems will I get? – Ashok Kuramdasu Nov 07 '18 at 10:49
  • apart from you need an [odd number of zookeeper](http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_zkMulitServerSetup), it should work. – Gery Nov 07 '18 at 11:27
  • Ok Thanks. As per documentation, I have done zookeeper cluster with 3 nodes and for example, one zookeeper node went down, then what will happen for read and write cases? – Ashok Kuramdasu Nov 07 '18 at 12:06