search

redpanda-data / kminion

KMinion is a feature-rich Prometheus exporter for Apache Kafka written in Go. It is lightweight and highly configurable so that it will meet your requirements.
MIT License
613 stars 122 forks source link

Disable FAST negotiation Kerberos #111

Closed bad3bs closed 3 years ago

bad3bs commented 3 years ago

KRBMessage_Handling_Error: KDC did not respond appropriately to FAST negotiation

twmb commented 3 years ago

This might be a bug with the franz-go client's kerberos implementation.

Do you want to just generally disable FAST negotiation entirely, or would you like to get it working? I may need your help debugging this in the franz-go client.

bad3bs commented 3 years ago

It would be great to add an option to turn on/off

weeco commented 3 years ago

@bad3bs I just committed a fix that allows you to configure FAST. It is enabled by default. See the new reference config: https://github.com/cloudhut/kminion/blob/30f84f50ebba412cf4194444f8e82f907a801d0d/docs/reference-config.yaml#L54

Would be nice to hear from you whether this fixes your issue.

bad3bs commented 3 years ago

Yes this problem fixed, but no way to set SASL_PLAINTEXT

twmb commented 3 years ago

What do you mean set SASL_PLAINTEXT? That's independent from kerberos? SASL_PLAINTEXT basically means speaking over a normal tcp connection (no tls), and using SASL. That's currently the example in the reference config, actually.

bad3bs commented 3 years ago

In Kfaka server config: properties.setProperty("security.protocol", "SASL_PLAINTEXT");

and encryption rc4-hmac

Receive: {"level":"error","ts":"2021-09-03T04:06:35.259Z","logger":"main.kgo_client","msg":"unable to initialize sasl","broker":"seed 0","err":"wrong Token ID. Expected 0504, was 6030"} {"level":"error","ts":"2021-09-03T04:06:35.373Z","logger":"main.kgo_client","msg":"unable to initialize sasl","broker":"seed 0","err":"wrong Token ID. Expected 0504, was 6030"}

twmb commented 3 years ago

This might be a bug in the franz-go client, and if so I'll definitely need your help to look into it. If you're up to it let me know. There's been only two users of kerberos in two years of the client, you're the second.

twmb commented 3 years ago

Looks like there is a similar discusson on the Sarama repo: https://github.com/Shopify/sarama/issues/1400 https://github.com/Shopify/sarama/pull/1366#issuecomment-521775698

The encryption type rc4-hmac is apparently not supported. Can you follow the linked comment in issue 1366?

bad3bs commented 3 years ago

Oh yes, I wanted to write the same links. :)

twmb commented 3 years ago

If you're able to modify things, please let me know if kerberos works -- it'd be great to know if it actually does :sweat_smile:

bad3bs commented 3 years ago

I suppose everything will work fine without rc4-hmac, but unfortunately I can't change the kafka settings. :)