Versions Compared

Old Version 6

changes.mady.by.user Jonathan Skrzypek

Saved on

compared with

New Version 7

changes.mady.by.user Jonathan Skrzypek

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When specifying a dns alias in bootstrap.server, the Java client API doesn't resolve all the CNAMES behind it.

This breaks kerberos based SASL authentication and therefore clients are unable to connect to a secured cluster.

Using an alias in bootstrap.servers along with SASL auth results in the following error :

javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTH_FAILED state. [Caused by javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]]

This is due to the following :

  • When using SASL/Kerberos authentication, the kafka server principal is of the form kafka@kafka/broker1.hostname.com@EXAMPLE.COM
  • Kerberos requires that the hosts can be resolved by their FQDNs.
  • During SASL handshake, the client will create a SASL token and then send it to kafka for auth.
    But to create a SASL token the client first needs to be able to validate that the broker's kerberos is a valid one.

The kafka server principal is using an alias.
The details are specified in the JIRA, but it boils down to the kafka server principal not matching the hostname referenced by the client , : as the SaslAuthenticator will compare the alias' FQDN with the kafka broker hostname.

...