Accessing kerberised kafka from outside of host machine

[hegdemahendra]

Hello team,

I am using below module to setup kafka broker with GSSAPI auth. https://github.com/vdesabou/kafka-docker-playground/tree/master/environment/kerberos

Able to setup and kerberos SASL auth works from client container. But I want to access this kafka broker from outside (non host machine), I tried with below approach..

added below in docker compose - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL:SASL_PLAINTEXT KAFKA_ADVERTISED_LISTENERS: SASL_PLAINTEXT://broker.kerberos-demo.local:9092,EXTERNAL://10.0.1.207:29092 KAFKA_LISTENERS: SASL_PLAINTEXT://:9092,EXTERNAL://:29092

And copied kafka-client.key from 'client' container and used that to connect from outside....but geting below error : Also copied krb5.conf to /etc and as kdc is not accessible from outside made an entry to hosts file with ip of kdc container (this I tried as temp solution to allow kdc server from atleast local host machine.)

/home/ubuntu/kafka-docker-for-nifi-integration/kafka_install/kafka_2.11-2.4.0/bin/kafka-console-producer.sh --broker-list 10.0.1.207:29092 --topic kafka-nifi-sasl_gssapi_plaintext --producer.config producer_kt.properties

WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.kafka.common.security.kerberos.KerberosError (file:/home/ubuntu/kafka-docker-for-nifi-integration/kafka_install/kafka_2.11-2.4.0/libs/kafka-clients-2.4.0.jar) to method sun.security.krb5.KrbException.returnCode() WARNING: Please consider reporting this to the maintainers of org.apache.kafka.common.security.kerberos.KerberosError WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release [2021-07-15 13:36:56,993] ERROR [Producer clientId=console-producer] Connection to node -1 (ip-10-0-1-207.ec2.internal/10.0.1.207:29092) failed authentication due to: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating SASL token received from the Kafka Broker. This may be caused by Java's being unable to resolve the Kafka Broker's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment. Users must configure FQDN of kafka brokers when authenticating using SASL and socketChannel.socket().getInetAddress().getHostName() must match the hostname in principal/hostname@realm Kafka Client will go to AUTHENTICATION_FAILED state. (org.apache.kafka.clients.NetworkClient) [2021-07-15 13:36:59,375] WARN [Principal=null]: TGT renewal thread has been interrupted and will exit. (org.apache.kafka.common.security.kerberos.KerberosLogin)

What is the right way to expose kafka broker to diff machine out of host machine?

Thanks Mahendra

[vdesabou]

I'm sorry but this repo is really to use from Docker only, and it's not meant to be used from outside hosts. I can't provide support for that

[hegdemahendra]

Thanks for the update @vdesabou