Closed rsaggino closed 2 years ago
Hello @rsaggino - thanks for raising this ticket.
I think you have identified the likely issue, that some kerberos state is missing within the container itself.
I have an explanation and some suggestions for you, and then in the end suggest just getting a trial license and using our JAR file deployment rather than the container (see below).
--
Do you have the configuration for an existing client that connects to your Kerberos cluster? Kpow uses exactly the same configuration declared as environment variables instead. If you have a client configuration the first step would be to copy the full config into our environment variable format, specifically for kerberos connections we support setting:
SASL_KERBEROS_SERVICE_NAME
SASL_KERBEROS_KINIT_CMD
SASL_KERBEROS_TICKET_RENEW_WINDOW_FACTOR
SASL_KERBEROS_TICKET_RENEW_JITTER
SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN
I assume you have a client as your config looks correct, and very similar to the example kerberos/kafka connection configuration given in this guide by IBM.
I also assume you have set a volume mount to provide access to your truststore and keytab file within the container, as otherwise I think you would see an error about loading the keystore.
If not you might need to add something like this to your docker run command:
docker run --volume="$PWD/my-resources:/configs"
If running in kube you would need to provide those physical files as secrets, via a volume, or configmap, etc.
I'm not a Kerberos export, but even then I think you would struggle to use the container as kerberos itself has not been initialized within the container. This stackoverflow answer suggests to:
Install krb5-workstation in your container. Copy appropriate krb5.conf file in /etc/ directory and in your startup script do kinit with your KDC principal and keytab. Make sure that KDC server is reachable from your host.
I think it would be possible for your to create a derivative container from our image, include your krb5.conf and install and initialize kinit if you specifically require using a Docker container, but that requires building your own image.
Many of our enterprise customers use our Java JAR instead of our docker container (we even provide a Java8 jar for those who need it, yes that is still a thing). Of the customers that I am aware of using Kerberos auth, I believe they are all using the JAR deployment as that is more easily integrated with existing Kerberos setups, you just download the JAR, configure it exactly like the container, and run it on a machine already configured with a keytab.
The Kpow Java 11 JAR can be downloaded here: https://kpow.io/releases/#java11 The Java JAR quick start with example script is here: https://docs.kpow.io/quick-start/jar/
Using the JAR requires a license, you can have a 30-day trial license emailed to you automatically using this form:
https://kpow.io/get-started/#standard
If you have any difficulty with the JAR or creating your own docker image, just reply to this ticket or email support@factorhouse.io.
Thanks!
@d-t-w thank you for the detailed e-mail. I got it working with the same configuration I wrote in the opening comment by (not so) simply providing a working kerberos environment (and kinit).
(I will open a different issue since it works but logging errors).
Thanks.
Version of Kpow Release: 90.2.1 Describe the issue Hi, I am evaluating kpow and I was trying to get the kerberos configuration to work. I tried the following:
but I receive the usual:
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password
I suppose that a few more configurations are missing, e.g. SASL_KERBEROS_KINIT_CMD but there is no kinit executable inside the image.
How may I solve this?
Thanks.