Able to setup and kerberos SASL auth works from client container.
But I want to access this kafka broker from outside (non host machine), I tried with below approach..
And copied kafka-client.key from 'client' container and used that to connect from outside....but geting below error :
Also copied krb5.conf to /etc and as kdc is not accessible from outside made an entry to hosts file with ip of kdc container (this I tried as temp solution to allow kdc server from atleast local host machine.)
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.kafka.common.security.kerberos.KerberosError (file:/home/ubuntu/kafka-docker-for-nifi-integration/kafka_install/kafka_2.11-2.4.0/libs/kafka-clients-2.4.0.jar) to method sun.security.krb5.KrbException.returnCode()
WARNING: Please consider reporting this to the maintainers of org.apache.kafka.common.security.kerberos.KerberosError
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[2021-07-15 13:36:56,993] ERROR [Producer clientId=console-producer] Connection to node -1 (ip-10-0-1-207.ec2.internal/10.0.1.207:29092) failed authentication due to: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating SASL token received from the Kafka Broker. This may be caused by Java's being unable to resolve the Kafka Broker's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment. Users must configure FQDN of kafka brokers when authenticating using SASL and socketChannel.socket().getInetAddress().getHostName() must match the hostname in principal/hostname@realm Kafka Client will go to AUTHENTICATION_FAILED state. (org.apache.kafka.clients.NetworkClient)
[2021-07-15 13:36:59,375] WARN [Principal=null]: TGT renewal thread has been interrupted and will exit. (org.apache.kafka.common.security.kerberos.KerberosLogin)
What is the right way to expose kafka broker to diff machine out of host machine?
Hello team,
I am using below module to setup kafka broker with GSSAPI auth. https://github.com/vdesabou/kafka-docker-playground/tree/master/environment/kerberos
Able to setup and kerberos SASL auth works from client container. But I want to access this kafka broker from outside (non host machine), I tried with below approach..
added below in docker compose - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL:SASL_PLAINTEXT KAFKA_ADVERTISED_LISTENERS: SASL_PLAINTEXT://broker.kerberos-demo.local:9092,EXTERNAL://10.0.1.207:29092 KAFKA_LISTENERS: SASL_PLAINTEXT://:9092,EXTERNAL://:29092
And copied kafka-client.key from 'client' container and used that to connect from outside....but geting below error : Also copied krb5.conf to /etc and as kdc is not accessible from outside made an entry to hosts file with ip of kdc container (this I tried as temp solution to allow kdc server from atleast local host machine.)
What is the right way to expose kafka broker to diff machine out of host machine?
Thanks Mahendra