Kafka with kerberos not working. giving error .. org.apache.kafka.common.errors.SaslAuthenticationException: Failed to create SaslClient with mechanism GSSAPI #19380
The app is connecting in jvm mode so I expect it to connect in native mode.
Actual behavior
Instead of successful connection, I am getting following error below
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /work/D_HUB.keytab refreshKrb5Config is false principal is SI_xxx tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is SI_xxxx
Will use keytab
Commit Succeeded .
2021-08-12 18:40:26,866 INFO [org.apa.kaf.com.sec.aut.AbstractLogin] (main) Successfully logged in.
2021-08-12 18:40:26,867 DEBUG [org.apa.kaf.com.sec.ssl.DefaultSslEngineFactory] (main) Created SSL context with keystore null, truststore SecurityStore(path=/work/truststore.jks, modificationTime=Thu Aug 12 18:38:16 GMT 2021), provider SunJSSE.
2021-08-12 18:40:26,868 DEBUG [org.apa.kaf.cli.con.KafkaConsumer] (main) [Consumer clientId=test, groupId=test] Kafka consumer initialized
Failed to create channel due to : org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Failed to create SaslClient with mechanism GSSAPI
Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: sun.security.jgss.krb5.Krb5MechFactory configured by SunJGSS for GSS-API Mechanism Factory cannot be created]
at com.sun.security.sasl.gsskerb.GssKrb5Client.(GssKrb5Client.java:160)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:63)
at javax.security.sasl.Sasl.createSaslClient(Sasl.java:433)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslClient$0(SaslClientAuthenticator.java:219)
Caused by: GSSException: sun.security.jgss.krb5.Krb5MechFactory configured by SunJGSS for GSS-API Mechanism Factory cannot be created
at sun.security.jgss.ProviderList.createGSSException(ProviderList.java:334)
at sun.security.jgss.ProviderList.getMechFactoryImpl(ProviderList.java:313)
at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:242)
at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:200)
at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:171)
at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:196)
at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:478)
at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
at sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:170)
at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:132)
at com.sun.security.sasl.gsskerb.GssKrb5Client.(GssKrb5Client.java:108)
... 38 more
Caused by: java.lang.ClassNotFoundException: sun.security.jgss.krb5.Krb5MechFactory
at com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:64)
at java.lang.ClassLoader.loadClass(ClassLoader.java:290)
at sun.security.jgss.ProviderList.getMechFactoryImpl(ProviderList.java:293)
... 47 more
How to Reproduce?
No response
Output of uname -a or ver
No response
Output of java -version
11
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.0.2.Final
Build tool (ie. output of mvnw --version or gradlew --version)
No response
Additional information
I used mvn package -Pnative with options
-Dquarkus.native.container-build=true -Dquarkus.container-image.build=false -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel:21.1-java11
Describe the bug
Trying to connect to kafka using kerberos with settings below:
kafka.ssl.truststore.location=/work/truststore.jks kafka.ssl.truststore.password=xxxxx kafka.ssl.endpoint.identification.algorithm=https kafka.sasl.mechanism=GSSAPI kafka.security.protocol=SASL_SSL kafka.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true doNotPrompt=true keyTab="file:/work/sample.keytab" storeKey=true useTicketCache=false debug=true principal="user@user.com"; kafka.sasl.kerberos.service.name=kafka mp.messaging.incoming.events.connector=smallrye-kafka mp.messaging.incoming.events.topic=testtopic mp.messaging.incoming.events.group.id=eviq5555-test mp.messaging.incoming.events.client.id=eviq-test mp.messaging.incoming.events.key.deserializer=org.apache.kafka.common.serialization.StringDeserializer mp.messaging.incoming.events.value.deserializer=org.apache.kafka.common.serialization.StringDeserializer mp.messaging.incoming.events.enable.auto.commit=false mp.messaging.incoming.events.auto.offset.reset=earliest quarkus.ssl.native=true quarkus.native.additional-build-args=--initialize-at-run-time=org.apache.kafka.common.security.kerberos.KerberosLogin, -J-Djava.security.krb5.conf=/etc/krb5.conf, -J-Djava.security.krb5.realm=xxx, -J-Djava.security.krb5.kdc=xxxx, -J-Djavax.net.ssl.trustStore=/work/truststore.jks,-J-Djavax.net.ssl.trustStorePassword=xxx quarkus.native.enable-all-security-services=true
Expected behavior
The app is connecting in jvm mode so I expect it to connect in native mode.
Actual behavior
Instead of successful connection, I am getting following error below Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /work/D_HUB.keytab refreshKrb5Config is false principal is SI_xxx tryFirstPass is false useFirstPass is false storePass is false clearPass is false principal is SI_xxxx Will use keytab Commit Succeeded .
2021-08-12 18:40:26,866 INFO [org.apa.kaf.com.sec.aut.AbstractLogin] (main) Successfully logged in. 2021-08-12 18:40:26,867 DEBUG [org.apa.kaf.com.sec.ssl.DefaultSslEngineFactory] (main) Created SSL context with keystore null, truststore SecurityStore(path=/work/truststore.jks, modificationTime=Thu Aug 12 18:38:16 GMT 2021), provider SunJSSE. 2021-08-12 18:40:26,868 DEBUG [org.apa.kaf.cli.con.KafkaConsumer] (main) [Consumer clientId=test, groupId=test] Kafka consumer initialized
Failed to create channel due to : org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Failed to create SaslClient with mechanism GSSAPI Caused by: javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: sun.security.jgss.krb5.Krb5MechFactory configured by SunJGSS for GSS-API Mechanism Factory cannot be created] at com.sun.security.sasl.gsskerb.GssKrb5Client.(GssKrb5Client.java:160)
at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslClient(FactoryImpl.java:63)
at javax.security.sasl.Sasl.createSaslClient(Sasl.java:433)
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslClient$0(SaslClientAuthenticator.java:219)
Caused by: GSSException: sun.security.jgss.krb5.Krb5MechFactory configured by SunJGSS for GSS-API Mechanism Factory cannot be created
at sun.security.jgss.ProviderList.createGSSException(ProviderList.java:334)
at sun.security.jgss.ProviderList.getMechFactoryImpl(ProviderList.java:313)
at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:242)
at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:200)
at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:171)
at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:196)
at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:478)
at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
at sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:170)
at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:132)
at com.sun.security.sasl.gsskerb.GssKrb5Client.(GssKrb5Client.java:108)
... 38 more
Caused by: java.lang.ClassNotFoundException: sun.security.jgss.krb5.Krb5MechFactory
at com.oracle.svm.core.hub.ClassForNameSupport.forName(ClassForNameSupport.java:64)
at java.lang.ClassLoader.loadClass(ClassLoader.java:290)
at sun.security.jgss.ProviderList.getMechFactoryImpl(ProviderList.java:293)
... 47 more
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
11
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.0.2.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
I used mvn package -Pnative with options -Dquarkus.native.container-build=true -Dquarkus.container-image.build=false -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel:21.1-java11