How to add Java system property parameters at startup?

[zhangkangwulu]

How can I specify the -Djava.security.krb5.conf=/path/krb5.conf parameter? When I enable Kerberos, I receive an error.

2024-07-17 16:59:59,571 ERROR [io.qua.run.Application] (main) Failed to start application (with profile [prod]): java.lang.RuntimeException: Failed to start quarkus at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source) at io.quarkus.runtime.Application.start(Application.java:101) at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:111) at io.quarkus.runtime.Quarkus.run(Quarkus.java:71) at io.quarkus.runtime.Quarkus.run(Quarkus.java:44) at io.quarkus.runtime.Quarkus.run(Quarkus.java:124) at io.quarkus.runner.GeneratedMain.main(Unknown Source) Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Cannot locate KDC at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:184) at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192) at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:81) at kafka.raft.KafkaRaftManager.buildNetworkClient(RaftManager.scala:236) at kafka.raft.KafkaRaftManager.buildNetworkChannel(RaftManager.scala:205) at kafka.raft.KafkaRaftManager.(RaftManager.scala:124) at kafka.server.KafkaRaftServer.(KafkaRaftServer.scala:81) at com.ozangunalp.kafka.server.EmbeddedKafkaBroker.start(EmbeddedKafkaBroker.java:206) at com.ozangunalp.kafka.server.Startup.startup(Startup.java:37) at com.ozangunalp.kafka.server.Startup_Observer_startup_lDxI_XYb49w9c3LH146P8PmORkk.notify(Unknown Source) at io.quarkus.arc.impl.EventImpl$Notifier.notifyObservers(EventImpl.java:351) at io.quarkus.arc.impl.EventImpl$Notifier.notify(EventImpl.java:333) at io.quarkus.arc.impl.EventImpl.fire(EventImpl.java:80) at io.quarkus.arc.runtime.ArcRecorder.fireLifecycleEvent(ArcRecorder.java:155) at io.quarkus.arc.runtime.ArcRecorder.handleLifecycleEvents(ArcRecorder.java:106) at io.quarkus.deployment.steps.LifecycleEventsBuildStep$startupEvent1144526294.deploy_0(Unknown Source) at io.quarkus.deployment.steps.LifecycleEventsBuildStep$startupEvent1144526294.deploy(Unknown Source) ... 7 more Caused by: javax.security.auth.login.LoginException: Cannot locate KDC at jdk.security.auth@17.0.10/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:789) at jdk.security.auth@17.0.10/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:597) at java.base@17.0.10/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at java.base@17.0.10/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679) at java.base@17.0.10/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677) at java.base@17.0.10/java.security.AccessController.executePrivileged(AccessController.java:149) at java.base@17.0.10/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base@17.0.10/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677) at java.base@17.0.10/javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60) at org.apache.kafka.common.security.kerberos.KerberosLogin.login(KerberosLogin.java:103) at org.apache.kafka.common.security.authenticator.LoginManager.(LoginManager.java:62) at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:112) at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:170) ... 23 more Caused by: KrbException: Cannot locate KDC at java.security.jgss@17.0.10/sun.security.krb5.Config.getKDCList(Config.java:1275) at java.security.jgss@17.0.10/sun.security.krb5.KdcComm.send(KdcComm.java:217) at java.security.jgss@17.0.10/sun.security.krb5.KdcComm.send(KdcComm.java:199) at java.security.jgss@17.0.10/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:345) at java.security.jgss@17.0.10/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) at jdk.security.auth@17.0.10/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:761) ... 36 more Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate KDC for realm ZZYC.COM at java.security.jgss@17.0.10/sun.security.krb5.Config.getKDCFromDNS(Config.java:1372) at java.security.jgss@17.0.10/sun.security.krb5.Config.getKDCList(Config.java:1248) ... 41 more

[k-wall]

Hello, I'm not a Kerberos user myself, but I'm aware of the integration test

https://github.com/ozangunalp/kafka-native/blob/09430d6cb644968093a1594ba188abfa1561e155/kafka-native-test-container/src/test/java/com/ozangunalp/kafka/test/container/KafkaNativeContainerIT.java#L246

Does that help you?

[zhangkangwulu]

@k-wall Thank you very much for your reminder. The key to the problem has been found. The permitted_enctypes specified during the native compilation process caused a difference from our Kerberos configuration. I would also like to ask if it is possible to remove the permitted_enctypes specified during the compilation? The following is the compilation log.

Java config name: null Native config name: /etc/krb5.conf Loading config file from /etc/krb5.conf Loading krb5 profile at /etc/krb5.conf Loading krb5 profile at /etc/krb5.conf.d/crypto-policies libdefaults = { permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac } logging = { default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log } libdefaults = { dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} }