CMAK icon indicating copy to clipboard operation
CMAK copied to clipboard

Published 20 hours ago verified publisher icon yahoo

Set mechanism for kafka cluster

Open woshiduncan opened this issue 5 years ago • 4 comments

With 1.3.3.22,we can set different security.protocol and sasl.mechanism for different cluster in UI,but how to deal with the mechanism not GSSAPI . The ERROR is

org.apache.kafka.common.errors.IllegalSaslStateException: Unexpected handshake request with client mechanism SCRAM-SHA-256, enabled mechanisms are [GSSAPI]

It's not a question about mistake config in kafka , our server.properties already enable SCRAM-SHA-256 by sasl.enabled.mechanisms=GSSAPI,PLAIN,SCRAM-SHA-256,SCRAM-SHA-512

woshiduncan avatar Apr 23 '19 13:04 woshiduncan

my understanding was that kafka-manager couldn't handle SASL_SCRAM at the moment ? looks like SASL_PLAIN has been merged in : https://github.com/yahoo/kafka-manager/pull/632 but not sure anyone's implemented SCRAM yet ? I get this in my log (2.0.0.2 kafka-manager) :

2019-04-23 06:34:44,414 - [WARN] - from org.apache.kafka.clients.NetworkClient in KafkaTopicOffsetGetter [Consumer clientId=consumer-12, groupId=null] Error while fetching metadata with correlation id 74 : {testnested=TOPIC_AUTHORIZATION_FAILED}

even though there aren't ACLs on the topic __consumer_offsets and the session is etstablished :

2019-04-23 06:03:46,474 - [INFO] - from org.apache.zookeeper.Login in kafka-manager-system-akka.actor.default-dispatcher-2-SendThread(xxxxxxxxxx:2181) Client successfully logged in.

2019-04-23 06:03:46,478 - [INFO] - from org.apache.zookeeper.client.ZooKeeperSaslClient in kafka-manager-system-akka.actor.default-dispatcher-2-SendThread(xxxxxxxxxx:2181) Client will use DIGEST-MD5 as SASL mechanism.

winter98 avatar Apr 23 '19 14:04 winter98

https://github.com/yahoo/CMAK/issues/828 related?

jurgen-weber-deltatre avatar Feb 17 '21 21:02 jurgen-weber-deltatre

SASL_SCRAM would be required to use this with AWS MSK, etc.

jurgen-weber-deltatre avatar Feb 17 '21 22:02 jurgen-weber-deltatre

Works for me It seems the root cause as CMAK somehow using 1st mechanism from sasl.enabled.mechanisms of Kafka broker to connect instead of using defined if multi protocols are enabled on Kafka. I changed the order in kafka broker config to define SCRAM as first in the order and CMAK started working for me

Previous - not working sasl.enabled.mechanisms=GSSAPI,SCRAM-SHA-512,OAUTHBEARER

Now - Working sasl.enabled.mechanisms=SCRAM-SHA-512,OAUTHBEARER,GSSAPI

similar I did for listener, security.protocol.map as well

tanuj83 avatar May 10 '22 12:05 tanuj83