Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/507
I went through your instructions and all seemed well with the world. But
then I tried to use the `kafka-console-producer` to actually write data to
Kafka and it fails Any ideas what the problem might be?
```
[metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
met...@example.com
[metron@node1 ~]$ echo "foo" | kafka-console-producer.sh --broker-list
node1:6667 --topic yaf --security-protocol SASL_PLAINTEXT
[2017-04-07 16:29:00,639] WARN The TGT cannot be renewed beyond the next
expiry date: Sat Apr 08 16:28:58 UTC 2017.This process will not be able to
authenticate new SASL connections after that time (for example, it will not be
able to authenticate a new connection with a Kafka Broker). Ask your system
administrator to either increase the 'renew until' time by doing : 'modprinc
-maxrenewlife null ' within kadmin, or instead, to generate a keytab for null.
Because the TGT's expiry cannot be further extended by refreshing, exiting
refresh thread now. (org.apache.kafka.common.security.kerberos.KerberosLogin)
[2017-04-07 16:29:00,897] WARN Error while fetching metadata with
correlation id 0 : {yaf=TOPIC_AUTHORIZATION_FAILED}
(org.apache.kafka.clients.NetworkClient)
[2017-04-07 16:29:00,897] ERROR Error when sending message to topic yaf
with key: null, value: 3 bytes with error:
(org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized
to access topics: [yaf]
```
I then tried to go back and check the Kafka ACLs and am now getting an
error. I was able to set the ACLs, but now I cannot see them.
```
[metron@node1 ~]$ kinit -kt /etc/security/keytabs/metron.headless.keytab
met...@example.com
[metron@node1 ~]$ kafka-acls.sh --list --topic yaf --authorizer-properties
zookeeper.connect=${ZOOKEEPER}:2181
[2017-04-07 16:24:47,794] WARN Could not login: the client is being asked
for a password, but the Zookeeper client code does not currently support
obtaining a password from the user. Make sure that the client is configured to
use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)'
and restart the client. If you still get this message after that, the TGT in
the ticket cache has expired and must be manually refreshed. To do so, first
determine if you are using a password or a keytab. If the former, run kinit in
a Unix shell in the environment of the user who is running this Zookeeper
client using the command 'kinit <princ>' (where <princ> is the name of the
client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>'
(where <princ> is the name of the Kerberos principal, and <keytab> is the
location of the keytab file). After manually refreshing your cache, restart
this client. If you continue to see this message after manually refreshing yo
ur cache, ensure that your KDC host's clock is in sync with this host's clock.
(org.apache.zookeeper.client.ZooKeeperSaslClient)
[2017-04-07 16:24:47,796] WARN SASL configuration failed:
javax.security.auth.login.LoginException: No password provided Will continue
connection to Zookeeper server without SASL authentication, if Zookeeper server
allows it. (org.apache.zookeeper.ClientCnxn)
Error while executing ACL command: Authentication failure
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946)
```
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
