Я использую Kafka и zookeeper в Kubernetes, и когда я включил аутентификацию SASL, Kafka подключается к zookeeper и закрывает сеанс, как только он получает тот, который, в свою очередь, приводит к выходу контейнера, когда Kafka закрывается.
Как примечание, все работало нормально, когда PLAINTEXT был единственным используемым слушателем, но нам требуется аутентификация.
Я тестировал локально с неконтейнерной версией Kafka и Zookeeper, и это работало, как и ожидалось, с этой конфигурацией:
Конфигурация без контейнера
sasl.enabled.mechanisms=SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
listeners=INTERNAL://localhost:9092
advertised.listeners=INTERNAL://localhost:9092
listener.security.protocol.map=INTERNAL:SASL_PLAINTEXT
inter.broker.listener.name=INTERNAL
Конфигурация контейнера:
advertised.listeners: |-
INTERNAL://${POD_IP}:9092
listener.security.protocol.map: |-
INTERNAL:SASL_PLAINTEXT
inter.broker.listener.name: INTERNAL
sasl.enabled.mechanisms: SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol: SCRAM-SHA-256
security.inter.broker.protocol: SASL_PLAINTEXT
Контейнерные журналы:
[main] INFO org.apache.zookeeper.ZooKeeper - Initiating client connection, connectString=zookeeper:2181 sessionTimeout=40000 watcher=io.confluent.admin.utils.ZookeeperConnectionWatcher@4edde6e5
[main-SendThread(zookeeper:2181)] WARN org.apache.zookeeper.ClientCnxn - SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/etc/jaas/kafka_server_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
[main-SendThread(zookeeper:2181)] INFO org.apache.zookeeper.ClientCnxn - Opening socket connection to server zookeeper/100.70.125.109:2181
[main] ERROR io.confluent.admin.utils.ClusterStatus - Error occurred while connecting to Zookeeper server[zookeeper:2181]. Authentication failed.
[main-SendThread(zookeeper:2181)] INFO org.apache.zookeeper.ClientCnxn - Socket connection established to zookeeper/100.70.125.109:2181, initiating session
[main-SendThread(zookeeper:2181)] INFO org.apache.zookeeper.ClientCnxn - Session establishment complete on server zookeeper/100.70.125.109:2181, sessionid = 0x265d7206f920000, negotiated timeout = 40000
[main] INFO org.apache.zookeeper.ZooKeeper - Session: 0x265d7206f920001 closed
[main-EventThread] INFO org.apache.zookeeper.ClientCnxn - EventThread shut down for session: 0x265d7206f920001
Я думал, что эта строка может быть проблемой
[main] ERROR io.confluent.admin.utils.ClusterStatus - Error occurred while connecting to Zookeeper server[zookeeper:2181]. Authentication failed.
Но речь идет о создании успешного соединения с Zookeeper (у Zookeeper нет аутентификации). Эта строка также присутствует в неконтейнерной установке Kafka, которая работает локально:
неконтейнерные журналы (рабочие):
[2018-09-14 08:59:00,519] INFO Initiating client connection, connectString=localhost:2181 sessionTimeout=6000 watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$@10e92f8f (org.apache.zookeeper.ZooKeeper)
[2018-09-14 08:59:00,536] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/etc/kafka/kafka_server_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
[2018-09-14 08:59:00,536] INFO [ZooKeeperClient] Waiting until connected. (kafka.zookeeper.ZooKeeperClient)
[2018-09-14 08:59:00,537] INFO Opening socket connection to server localhost/127.0.0.1:2181 (org.apache.zookeeper.ClientCnxn)
[2018-09-14 08:59:00,540] ERROR [ZooKeeperClient] Auth failed. (kafka.zookeeper.ZooKeeperClient)
[2018-09-14 08:59:00,555] INFO Socket connection established to localhost/127.0.0.1:2181, initiating session (org.apache.zookeeper.ClientCnxn)
[2018-09-14 08:59:00,564] INFO Session establishment complete on server localhost/127.0.0.1:2181, sessionid = 0x1000004693a0004, negotiated timeout = 6000 (org.apache.zookeeper.ClientCnxn)
[2018-09-14 08:59:00,565] INFO [ZooKeeperClient] Connected. (kafka.zookeeper.ZooKeeperClient)
[2018-09-14 08:59:00,801] INFO Cluster ID = zNddSOF5SDm4FkjP33FYNQ (kafka.server.KafkaServer)
[2018-09-14 08:59:00,892] INFO KafkaConfig values:
advertised.host.name = null
advertised.listeners = INTERNAL://localhost:9092
advertised.port = null
alter.config.policy.class.name = null
Контейнерные журналы Zookeeper, похоже, не сильно помогают:
2018-09-14 08:31:23,237 [myid:2] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /100.105.123.61:37766
2018-09-14 08:31:23,240 [myid:2] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@942] - Client attempting to establish new session at /100.105.123.61:37766
2018-09-14 08:31:23,242 [myid:2] - INFO [CommitProcessor:2:ZooKeeperServer@687] - Established session 0x265d7206f920001 with negotiated timeout 40000 for client /100.105.123.61:37766
2018-09-14 08:31:23,246 [myid:2] - INFO [ProcessThread(sid:2 cport:-1)::PrepRequestProcessor@486] - Processed session termination for sessionid: 0x265d7206f920001
2018-09-14 08:31:23,248 [myid:2] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@1044] - Closed socket connection for client /100.105.123.61:37766 which had sessionid 0x265d7206f920001
2018-09-14 08:31:26,102 [myid:2] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /127.0.0.1:50326
2018-09-14 08:31:26,102 [myid:2] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@883] - Processing ruok command from /127.0.0.1:50326
Конфигурация SCRAM настроена так, как описано:
здесь: https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_scram.html
с конфигурацией jaas, определенной как
KafkaServer {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="admin-secret";
};