Environment Information
- OS: Ubuntu
- Node Version: 10.18.1
- NPM Version: 6.13.4
- C++ Toolchain: g++
- node-rdkafka version: 2.8.1
I am trying to consume messages from an enterprise kafka cluster using the node-rdkakfa library. The cluster is secured with SASL_SSL and Kerberos. Since kerberos authentication with a keytab is not supported on windows I am directly testing on PCF (cloud) containers
Here is my Kafka consumer client configuration
const consumer = new Kafka.KafkaConsumer({
"group.id": "groupname",
"auto.offset.reset": "earliest",
"sasl.mechanism": "GSSAPI",
"sasl.kerberos.service.name": "kafka",
"sasl.kerberos.principal": "svc_npsvcdprocpcfnp@MYDOMAIN.COM",
"sasl.kerberos.keytab": "svc_npsvcdprocpcfnp.keytab",
"ssl.ca.location": "ca.PEM",
"security.protocol": "sasl_ssl",
"metadata.broker.list": "mykafkaserver.com:9093,mykafkaserver.com:9093,mykafkaserver.com:9093,mykafkaserver.com:9093",
"enable.auto.commit": true,
"debug": "security",
"sasl.kerberos.kinit.cmd": "kinit -V -k -t svc_npsvcdprocpcfnp.keytab svc_npsvcdprocpcfnp@MYDOMAIN.COM"
},{});
Even without the custom kinit.cmd command it fails. Our company's recommended kafka client configuration provided that command. Here are the security logs
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:app]: Selected provider Cyrus for SASL mechanism GSSAPI"
}
{
"severity": 7,
"fac": "SASLREFRESH",
"message": "[thrd:app]: Refreshing Kerberos ticket with command: kinit -V -k -t svc_npsvcdprocpcfnp.keytab svc_npsvcdprocpcfnp@MYDOMAIN.COM"
}
{
"severity": 7,
"fac": "SASLREFRESH",
"message": "[thrd:app]: Kerberos ticket refreshed in 416ms"
}
{
"severity": 7,
"fac": "OPENSSL",
"message": "[thrd:app]: Using OpenSSL version OpenSSL 1.1.1d 10 Sep 2019 (0x1010104f, librdkafka built with 0x1010100f)"
}
{
"severity": 7,
"fac": "SSL",
"message": "[thrd:app]: Loading CA certificate(s) from file ca.PEM"
}
{
"severity": 7,
"fac": "INIT",
"message": "[thrd:app]: librdkafka v1.3.0 (0x10300ff) rdkafka#consumer-1 initialized (builtin.features gzip,snappy,ssl,sasl,regex,lz4,sasl_gssapi,sasl_plain,sasl_scram,plugins,sasl_oauthbearer, GCC GXX PKGCONFIG INSTALL GNULD LDS LIBDL PLUGINS ZLIB SSL SASL_CYRUS HDRHISTOGRAM SNAPPY SOCKEM SASL_SCRAM SASL_OAUTHBEARER CRC32C_HW, debug 0x200)"
}
{
"severity": 7,
"fac": "SSLVERIFY",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Broker SSL certificate verified"
}
{
"severity": 7,
"fac": "AUTH",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Auth in state APIVERSION_QUERY (handshake supported)"
}
{
"severity": 7,
"fac": "SASLMECHS",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Broker supported SASL mechanisms: GSSAPI"
}
{
"severity": 7,
"fac": "AUTH",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Auth in state AUTH_HANDSHAKE (handshake supported)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Initializing SASL client: service name kafka, hostname mykafkaserver.com, mechanisms GSSAPI, provider Cyrus"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: My supported SASL mechanisms: GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI client step 1"
}
{
"severity": 7,
"fac": "SSLVERIFY",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Broker SSL certificate verified"
}
{
"severity": 7,
"fac": "AUTH",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Auth in state APIVERSION_QUERY (handshake supported)"
}
{
"severity": 7,
"fac": "SASLMECHS",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Broker supported SASL mechanisms: GSSAPI"
}
{
"severity": 7,
"fac": "AUTH",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Auth in state AUTH_HANDSHAKE (handshake supported)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Initializing SASL client: service name kafka, hostname mykafkaserver.com, mechanisms GSSAPI, provider Cyrus"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: My supported SASL mechanisms: GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI client step 1"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Send SASL Kafka frame to broker (2492 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Send SASL Kafka frame to broker (2492 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Received SASL frame from broker (104 bytes)"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI client step 1"
}
{
"severity": 7,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: CB_CANON: flags 0x3, "svc_npsvcdprocpcfnp@MYDOMAIN.COM" @ "(null)": returning "svc_npsvcdprocpcfnp@MYDOMAIN.COM""
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Send SASL Kafka frame to broker (0 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Received SASL frame from broker (50 bytes)"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI client step 2"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Send SASL Kafka frame to broker (50 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI authentication complete but awaiting final response from broker"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Received SASL frame from broker (0 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Authenticated as svc_npsvcdprocpcfnp@MYDOMAIN.COM using GSSAPI (gssapiv2)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Received SASL frame from broker (104 bytes)"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI client step 1"
}
{
"severity": 7,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: CB_CANON: flags 0x3, "svc_npsvcdprocpcfnp@MYDOMAIN.COM" @ "(null)": returning "svc_npsvcdprocpcfnp@MYDOMAIN.COM""
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Send SASL Kafka frame to broker (0 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Received SASL frame from broker (50 bytes)"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI client step 2"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Send SASL Kafka frame to broker (50 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: GSSAPI authentication complete but awaiting final response from broker"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Received SASL frame from broker (0 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:sasl_ssl://mykafkaserver.com:9093/bootstrap]: sasl_ssl://mykafkaserver.com:9093/bootstrap: Authenticated as svc_npsvcdprocpcfnp@MYDOMAIN.COM using GSSAPI (gssapiv2)"
}
{
"severity": 7,
"fac": "SSLVERIFY",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Broker SSL certificate verified"
}
{
"severity": 7,
"fac": "AUTH",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Auth in state APIVERSION_QUERY (handshake supported)"
}
{
"severity": 7,
"fac": "SASLMECHS",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Broker supported SASL mechanisms: GSSAPI"
}
{
"severity": 7,
"fac": "AUTH",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Auth in state AUTH_HANDSHAKE (handshake supported)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Initializing SASL client: service name kafka, hostname mykafkaserver.com, mechanisms GSSAPI, provider Cyrus"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: My supported SASL mechanisms: GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: GSSAPI client step 1"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Send SASL Kafka frame to broker (2492 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Received SASL frame from broker (104 bytes)"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: GSSAPI client step 1"
}
{
"severity": 7,
"fac": "LIBSASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: CB_CANON: flags 0x3, 'svc_npsvcdprocpcfnp@MYDOMAIN.COM' @ "(null)": returning "svc_npsvcdprocpcfnp@MYDOMAIN.COM""
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Send SASL Kafka frame to broker (0 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Received SASL frame from broker (50 bytes)"
}
{
"severity": 5,
"fac": "LIBSASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: GSSAPI client step 2"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Send SASL Kafka frame to broker (50 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: GSSAPI authentication complete but awaiting final response from broker"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Received SASL frame from broker (0 bytes)"
}
{
"severity": 7,
"fac": "SASL",
"message": "[thrd:GroupCoordinator]: GroupCoordinator/24: Authenticated as svc_npsvcdprocpcfnp@MYDOMAIN.COM using GSSAPI (gssapiv2)"
}
{
"severity": 7,
"fac": "DESTROY",
"message": "[thrd:app]: Terminating instance (destroy flags none (0x0))"
}
{
"severity": 7,
"fac": "DESTROY",
"message": "[thrd:main]: Destroy internal"
}
{
"severity": 7,
"fac": "DESTROY",
"message": "[thrd:main]: Removing all topics"
}
Hopefully the logs help. I have also raised a github issue on the library
