Open mikolajmorawski opened 6 years ago
toddpalino
commented
6 years ago We just pass SASL configs to Sarama, so this is a little tricky to debug. But can you try one thing for me? Change the sasl profile definition to the following:
[sasl.mysasl]
username="admin"
password="adminpass"
handshake-first=trueI suspect we might have a bad default value for handshake-first, but I don't have a SASL environment right now to test in.
mikolajmorawski
commented
6 years ago Thanks for your help, after this change it started to work correctly. I was trying all possible configurations but I haven’t thought about adding field handshake-first=true to my configuration to override this “default” value :D, so it was a problem with the wrong default value :D
The next step I was doing was to connect Burrow with SASL_SSL secured kafka. In documentation there is the note about certfile and keyfile filed which are required. It is not true when you want to connect to SSL secured kafka. The only thing I had to do was to set this:
[tls.mytls]
noverify=trueI found that there is a mistake in documentation, the field there is shown as “no-verify” but correct value is “noverify” like in your code. The problem I had with this that it was not possible to debug. The Burrow logs only shows this debug message:
“Cannot start Kafka client for cluster local: kafka: client has run out of available brokers to talk to (Is your cluster reachable?)”
This message could be related to any problem, by I already knew that the last thing that was not working was TLS. So changing this field name helped me. Also this other fields are not required during SSL connection to Kafka. Maybe there are required when you are creating HttpServer with TLS. It would be nice to split this two things and describe them separately.
toddpalino
commented
6 years ago Yes, that's correct. certfile and keyfile are required for the HTTP server. They are also needed for the Kafka client config if you are using client certificates for authentication. We'll need to update the docs as well.
As far as the value of handshake-first goes, thank you for trying that out and confirming it was the problem. There needs to be a PR generated now to make sure that handshake-first has a default of true set in the code before it is read from config and used.
akamalov
commented
6 years ago @mikolajmorawski and @toddpalino: does it mean that Burrow does not support Kafka when brokers are configured with SASL_PLAINTEXT ?? I am also running SASL_PLAINTEXT in the environment, and getting "kafka: client has run out of available brokers to talk to (Is your cluster reachable?)" error. Tried to put in noverify=true, but it's not helping. @mikolajmorawski, have you found a workaround ? If yes, is it possible to share your config for burrow?
Thanks again,
Alex
akamalov
commented
6 years ago @mikolajmorawski and @toddpalino can I ask if current release of burrow supports SASL_PLAINTEXT? Thanks so much in advance for replying.
toddpalino
commented
6 years ago I haven't explicitly tested it against SASL_PLAINTEXT, so it would depend on the underlying Sarama client support. There was a bug, as noted, in the default value of handshake-first. That hasn't been resolved yet (as noted, we need a PR for it - I haven't done it myself because I'm not using it at present). So I would make sure that that config is explicitly set to true in the SASL profile section of the config.
akamalov
commented
6 years ago Thanks for reply @toddpalino . Yes, config is explicitly set to true.
handshake-first=true...it is bugging out nevertheless :(
Thanks again..
pboado
commented
6 years ago Hi @toddpalino
I'm trying to go through a similar route... SASL_PLAINTEXT + Keytab . How can I tell burrow to use this configuration? I've made kinit and the start burrow, but as soon as I define a sasl profile the startup starts failing
{"level":"info","ts":1527166609.0603826,"msg":"starting","type":"module","coordi nator":"cluster","class":"kafka","name":"dev"} {"level":"error","ts":1527166609.0604134,"msg":"failed to start client","type":" module","coordinator":"cluster","class":"kafka","name":"dev","error":"kafka: inv alid configuration (Net.SASL.User must not be empty when SASL is enabled)"}
If I don't define one then I get
{"level":"error","ts":1527167116.8251395,"msg":"failed to start client","type":" module","coordinator":"cluster","class":"kafka","name":"dev","error":"kafka: cli ent has run out of available brokers to talk to (Is your cluster reachable?)"}
Am I missing something? I don't see any other reference to this setup in the configuration notes.
Thanks!
jrevillard
commented
6 years ago @toddpalino , I'm also interested in keytab authentication. Did you find a solution ?
Best, Jerome
rja1
commented
6 years ago Didn't ever see an update here. So, can Burrow auth using SASL_PLAINTEXT + Keytab ?
Thanks much!
myloginid
commented
6 years ago Same Q here - Can we do SASL_SSL + Kerberos
tsrikanth06
commented
5 years ago I cannot get sasl + scram to work, with latest burrow. sarama added scram in its 1.22.1 and latest burrow does use that version. I get the same error '"failed to start client","type":"module","coordinator":"cluster","class":"kafka","name":"local","error":"kafka: client has run out of available brokers to talk to (Is your cluster reachable?)"'
Can anyone let me know what config I need to do inorder for it to work?
jbresciani
commented
5 years ago @tsrikanth06 Does this help at all?
https://github.com/linkedin/Burrow/issues/526#issuecomment-491880633
smaley07
commented
5 years ago Didn't ever see an update here. So, can Burrow auth using SASL_PLAINTEXT + Keytab ?
Thanks much!
Hello @rja1 Did you find a way to achieve this ?
Hi, I am trying to configure Burrow with Kafka SASL. I am using kafka image from wurstmeister with the following configuration:
jaas.conf:
And Burrow with the following configuration:
When i turn off SASL_PLAINTEXT on Kafka, Burrow starts with success and is connected to kafka brokers. With this configuration i get the following error during burrow<->kafka connection: