git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Kerberos] JAAS module content not generated? javax.security.auth.callback.UnsupportedCallbackException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user.


Hi,

We are using Flink 1.5.3 where the Kafka producer talks with a kerberized kafka (kerberos only, no SSL). 

It fails to connect to kafka with a root Exception: javax.security.auth.callback.UnsupportedCallbackException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user.

We have the following configuration for kerberos in flink-conf.yaml:
# ----------------------------------------------
security.kerberos.login.use-ticket-cache: false
security.kerberos.login.keytab:  /etc/krb5/flink.keytab
security.kerberos.login.principal: kafka/the.host.name@xxxxxxxxxxx
security.kerberos.login.contexts: KafkaClient
# ----------------------------------------------

We use org.apache.flink.streaming.connectors.kafka.FlinkKafkaProducer011 with the following properties for kerberos:
# ----------------------------------------------
security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
# ----------------------------------------------

>From job/task managers hosts we can login with the same user which runs flink processes, and successfully get a kerberos ticket:

# ----------------------------------------------
kubectl exec -it <manager> -- /bin/bash
$ kinit kafka/hdp-2641.fyre.ibm.com@xxxxxxxxxxx -k -t /etc/krb5/flink.keytab 
                                                                                   
Done!
New ticket is stored in cache file /opt/flink/krb5cc_bai
$ klist

Credentials cache: /opt/flink/krb5cc_bai
Default principal: kafka/the.host.name@xxxxxxxxxxx
Number of entries: 1

[1] Service principal: krbtgt/EXAMPLE.COM@xxxxxxxxxxx
	Valid starting: Monday, September 10, 2018 at 4:58:29 PM
	Expires: Tuesday, September 11, 2018 at 4:58:29 PM
# ----------------------------------------------

However, 
When we check the content of the JAAS file generated in /temp, we see no content apart the comments:

/tmp$ cat jaas-4651713797960840940.conf
/**
################################################################################
#  Licensed to the Apache Software Foundation (ASF) under one
#  or more contributor license agreements.  See the NOTICE file
#  distributed with this work for additional information
#  regarding copyright ownership.  The ASF licenses this file
#  to you under the Apache License, Version 2.0 (the
#  "License"); you may not use this file except in compliance
#  with the License.  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
# We are using this file as an workaround for the Kafka and ZK SASL implementation
# since they explicitly look for java.security.auth.login.config property
# Please do not edit/delete this file - See FLINK-3929
**/

/tmp$

- Could you confirm that we should have more in the generated JAAS file?
- We strongly suspect the UnsupportedCallbackException is caused by missing content in the generated JAAS file. 

Thanks,

Sebastien Pereira