SASL JAAS - Could not find a 'KafkaClient' entry in the JAAS configuration

[paerlundgren]

• Version: Logstash 6.4.1
• Operating System: Ubuntu 16.04

Hi,

Im having issue with configuring logstash to subscribe to a kafka topic over SASL SSL.

From what it looks like Kafka fails to read the kafka client configuration specified in the provided jaas_path. From logstash log:

Unable to create Kafka consumer from given configuration {:kafka_error_message=>org.apache.kafka.common.KafkaException: Failed to construct kafka consumer, :cause=>java.lang.IllegalArgumentException: Could not find a 'KafkaClient' entry in the JAAS configuration. System property 'java.security.auth.login.config' is /etc/logstash/kafka_sasl_jaas.java}

kafka_sasl_jaas.java file looks like:

KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required serviceName="someName" username="someName2" password="somePassword"; };

Kafka consumer configuration from logstash log:

ConsumerConfig values: auto.commit.interval.ms = 5000 auto.offset.reset = latest bootstrap.servers = [someIP:somePort] check.crcs = true client.id = logstash-0 connections.max.idle.ms = 540000 enable.auto.commit = true exclude.internal.topics = true fetch.max.bytes = 52428800 fetch.max.wait.ms = 500 fetch.min.bytes = 1 group.id = someGroup heartbeat.interval.ms = 3000 interceptor.classes = [] internal.leave.group.on.close = true isolation.level = read_uncommitted key.deserializer = class org.apache.kafka.common.serialization.StringDeserializer max.partition.fetch.bytes = 1048576 max.poll.interval.ms = 300000 max.poll.records = 500 metadata.max.age.ms = 300000 metric.reporters = [] metrics.num.samples = 2 metrics.recording.level = INFO metrics.sample.window.ms = 30000 partition.assignment.strategy = [class org.apache.kafka.clients.consumer.RangeAssignor] receive.buffer.bytes = 65536 reconnect.backoff.max.ms = 1000 reconnect.backoff.ms = 50 request.timeout.ms = 305000 retry.backoff.ms = 100 sasl.jaas.config = null sasl.kerberos.kinit.cmd = /usr/bin/kinit sasl.kerberos.min.time.before.relogin = 60000 sasl.kerberos.service.name = someName sasl.kerberos.ticket.renew.jitter = 0.05 sasl.kerberos.ticket.renew.window.factor = 0.8 sasl.mechanism = PLAIN security.protocol = SASL_SSL send.buffer.bytes = 131072 session.timeout.ms = 10000 ssl.cipher.suites = null ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1] ssl.endpoint.identification.algorithm = null ssl.key.password = null ssl.keymanager.algorithm = SunX509 ssl.keystore.location = null ssl.keystore.password = null ssl.keystore.type = JKS ssl.protocol = TLS ssl.provider = null ssl.secure.random.implementation = null ssl.trustmanager.algorithm = PKIX ssl.truststore.location = /etc/logstash/kafka.truststore.pkcs12 ssl.truststore.password = null ssl.truststore.type = pkcs12 value.deserializer = class org.apache.kafka.common.serialization.StringDeserializer

Logstash kafka input config:

input { kafka { bootstrap_servers => "someIP:somePort" topics => ["someTopic"] decorate_events => true group_id => "someGroup" codec => someCodec security_protocol => "SASL_SSL" sasl_mechanism => "PLAIN" jaas_path => "/etc/logstash/kafka_sasl_jaas.java" sasl_kerberos_service_name => "kafka" ssl_truststore_location => "/etc/logstash/kafka.truststore.pkcs12" ssl_truststore_type => "pkcs12" } }

I have tried different access right and ownership (root and logstash) for the kafka_sasl_jaas.java file without success.

Really glad if someone can help me identify what is going wrong here:-)!

[paerlundgren]

Problem solved when upgrading java from: oracle-java8-installer/xenial,xenial,now 8u161-1~webupd8~1 to oracle-java8-installer/xenial,xenial,now 8u201-1~webupd8~1

So my assumption is that this was related to the key or value deserializer, org.apache.kafka.common.serialization.StringDeserializer. If someone can confirm this that would be great!

[yaauie]

Since this issue has a fix in an updated JVM, I believe we can close the ticket even though I have not been able to find the source of the problem directly.