[
https://issues.apache.org/jira/browse/KAFKA-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16641649#comment-16641649
]
Rajini Sivaram commented on KAFKA-7274:
---------------------------------------
[~xiaotao183] We can configure only one mechanism for inter-broker
communication, and none of our built-in mechanisms requires username/password
for a mechanism that is not used for inter-broker. So static jaas config as
described in the docs for these mechanisms does work. The limitation is only on
adding conflicting unused options. Feel free to submit a PR to clarify this in
the docs.
Going forward, `sasl.jaas.config` options are actually more flexible for both
broker-side and client-side. On the broker-side, these are specified
per-mechanism, they can be stored encrypted in ZooKeeper and they work without
any conflicts for any mechanism since they can be prefixed with listener and
mechanism name.
> Incorrect subject credential used in inter-broker communication
> ---------------------------------------------------------------
>
> Key: KAFKA-7274
> URL: https://issues.apache.org/jira/browse/KAFKA-7274
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0
> Reporter: TAO XIAO
> Priority: Major
>
> We configured one broker setup to enable multiple SASL mechanisms using JAAS
> config file but we failed to start up the broker.
>
> Here is security section of server.properties
>
> {{listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN}}{{}}
>
> JAAS file
>
> {noformat}
> sasl_plaintext.KafkaServer {
> org.apache.kafka.common.security.plain.PlainLoginModule required
> username="admin"
> password="admin-secret"
> user_admin="admin-secret"
> user_alice="alice-secret";
> org.apache.kafka.common.security.scram.ScramLoginModule required
> username="admin1"
> password="admin-secret";
> };{noformat}
>
> Exception we got
>
> {noformat}
> [2018-08-10 12:12:13,070] ERROR [Controller id=0, targetBrokerId=0]
> Connection to node 0 failed authentication due to: Authentication failed:
> Invalid username or password
> (org.apache.kafka.clients.NetworkClient){noformat}
>
> If we changed to use broker configuration property we can start broker
> successfully
>
> {noformat}
> listeners=SASL_PLAINTEXT://:9092
> security.inter.broker.protocol=SASL_PLAINTEXT
> sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
> sasl.mechanism.inter.broker.protocol=PLAIN
> listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
> required username="admin" password="admin-secret" user_admin="admin-secret"
> user_alice="alice-secret";
> listener.name.sasl_plaintext.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
> required username="admin1" password="admin-secret";{noformat}
>
> I believe this issue is caused by Kafka assigning all login modules to each
> defined mechanism when using JAAS file which results in Login class to add
> both username defined in each login module to the same subject
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java#L101]
>
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L63]
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
