[jira] [Commented] (KAFKA-7274) Incorrect subject credential used in inter-broker communication

Thu, 04 Oct 2018 07:24:09 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16638281#comment-16638281
 ] 

TAO XIAO commented on KAFKA-7274:
---------------------------------

[~rsivaram] should we mention it in the doc?  The example provided in the doc 
gives users an impression that static JAAS config does support multiple login 
modules

 

[http://kafka.apache.org/documentation/#security_sasl_multimechanism]

 

> Incorrect subject credential used in inter-broker communication
> ---------------------------------------------------------------
>
>                 Key: KAFKA-7274
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7274
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0
>            Reporter: TAO XIAO
>            Priority: Major
>
> We configured one broker setup to enable multiple SASL mechanisms using JAAS 
> config file but we failed to start up the broker.
>  
> Here is security section of server.properties
>  
> {{listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN}}{{}}
>  
> JAAS file
>  
> {noformat}
> sasl_plaintext.KafkaServer {
>   org.apache.kafka.common.security.plain.PlainLoginModule required
>   username="admin"
>   password="admin-secret"
>   user_admin="admin-secret"
>   user_alice="alice-secret";
>   org.apache.kafka.common.security.scram.ScramLoginModule required
>   username="admin1"
>   password="admin-secret";
> };{noformat}
>  
> Exception we got
>  
> {noformat}
> [2018-08-10 12:12:13,070] ERROR [Controller id=0, targetBrokerId=0] 
> Connection to node 0 failed authentication due to: Authentication failed: 
> Invalid username or password 
> (org.apache.kafka.clients.NetworkClient){noformat}
>  
> If we changed to use broker configuration property we can start broker 
> successfully
>  
> {noformat}
> listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN
> listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
>  required username="admin" password="admin-secret" user_admin="admin-secret" 
> user_alice="alice-secret";
> listener.name.sasl_plaintext.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
>  required username="admin1" password="admin-secret";{noformat}
>  
> I believe this issue is caused by Kafka assigning all login modules to each 
> defined mechanism when using JAAS file which results in Login class to add 
> both username defined in each login module to the same subject
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java#L101]
>  
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L63]
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to