search

confluentinc / confluent-kafka-dotnet

Confluent's Apache Kafka .NET client
https://github.com/confluentinc/confluent-kafka-dotnet/wiki
Apache License 2.0
77 stars 866 forks source link

SASL mechanism GSSAPI not working #331

Open kavyashivakumar opened 7 years ago

kavyashivakumar commented 7 years ago

Kafka-gssapi.txt Description

I am trying to connect to Kafka brokers v0.10.2 running on Linux CentOS 7, where recently security was enabled.

I am using Confluent.Kafka v0.11.0and my test producer and consumer applications are running on Windows 7 with .NET 4.6.1 framework.

I am trying to use the below configuration for the producer. but i get

7|2017-10-04 10:42:26.904|test.Poc.Producer.1#producer-1|BROKERFAIL| [thrd:sasl_plaintext://broker1.machine.test.group:9092/bootstrap]: sasl_plaintext://broker1.machine.test.group:9092/bootstrap: failed: err: Local: Authentication failure: (e rrno: Invalid argument) (have attached log but I don't know what am I missing. ) can someone please help? @treziac , @vinodres @mhowlett @treziac

var config = new Dictionary<string, object> { { "bootstrap.servers", "broker1.machine.test.group:9092" }, { "client.id", $"test.Poc.Producer.1" }, //{ "sasl.mechanisms", "GSSAPI" }, {"log_level",7 }, {"debug","all"}, // {"sasl.username",@"someuser@differentdomain.COM"},{"sasl.password","test123" },

             { "api.version.request", "true" },
              { "sasl.kerberos.service.name", "kafka" },
            { "security.protocol","SASL_PLAINTEXT"},
            { "default.topic.config", new Dictionary<string, object>()
                {
                    { "acks", "all" },
                    { "request.timeout.ms", 5000 },

                }
            }
        };

How to reproduce

with above config on .net 4.6.1 i have run kinit and as you can see in log kerberos creds are picked up. kafka brokers on liux box

Checklist

Please provide the following information:

mhowlett commented 6 years ago

This is something I've so far managed to avoid knowing about. Some things I know:

  1. on windows, the principal used by the client is always the logged in user.
  2. here's an example @rnpridgeon made: https://gist.github.com/rnpridgeon/a406d1adfdd8b146fd779accf0a0d216 (he may be able to comment further).
  3. docs for this on librdkafka are here: https://github.com/edenhill/librdkafka/wiki/Using-SASL-with-librdkafka

marking as enhancement as we need a good example / walkthrough of this.

persianstarr commented 4 years ago

Greetings! Really appreciate your library, I am having the same problem, I am trying to consume on a windows server using C# and the confluent kafka dot net libraries with a Kafka server on linux with Kerberos enabled using GSSAPI and SASL_PLAINTEXT. I was able to authenticate with Kerberos and get tokens back using Kerberos.Net which also used my keytab file for authentication. Since I am using the authenticated users context and have impersonated doesnt seem like there is any issue with authentication, however I am still getting this error when I try to consume:

Broker: Group authorization failed

Any ideas? Really appreciate your help!

ansi123 commented 2 years ago

Hi @kavyashivakumar @mhowlett @ijuma @persianstarr, Is this issue resolved? I am also having the same issue while running my consumer in windows i am using sasl.mechanism GSSAPI. The error which I am facing is "broker: Group authentication failed" and also the same time the other error which is occuring is "No such configuration property: sasl.kerberos.keytab is not supported to windows servers". Is there any other way to create & use keytab file in consumer config properties in windows servers. i am using c# and .net core/framework.

Please help.