[ https://issues.apache.org/jira/browse/KAFKA-13055?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Kashavkin updated KAFKA-13055: ------------------------------------- Description: I think that this isn't a bug, but I don't know what type to choose for this issue. I'm setting up kafka security with multiple listeners. Listener for broker works as plaintext and I don't want to use authentication for them. My cluster has configuration: {code:bash} listeners=BROKERS://:9091,CLIENTS://:9092,CLIENTS-NOSSL://:9093 inter.broker.listener.name=BROKERS sasl.enabled.mechanisms=SCRAM-SHA-256 listener.security.protocol.map=BROKERS:PLAINTEXT,CLIENTS:SASL_SSL,CLIENTS-NOSSL:SASL_PLAINTEXT {code} For clients, I want use SCRAM and only for them (not for brokers). But when I start broker, I see following message in log: {code:bash} ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer) java.lang.IllegalArgumentException: Could not find a 'KafkaServer' or 'clients.KafkaServer' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set {code} Why is this configuration so necessary, if I don't use authentication for brokers and SCRAM mechanism stores credentials in zookeeper? Which user do I need to add to {{sasl.jaas.config}}? I have created users who perform operations as consumers and producers. I didn't create any admin users because I don't need it. I didn't find any more detailed information in [docs|http://kafka.apache.org/documentation/#security] about why this is so necessary. For experiment: {code:bash} listener.name.clients.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ username="alice" \ password="alice-secret"; -- listener.name.clients-nossl.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ username="alice" \ password="alice-secret"; {code} I specified user alice in {{sasl.jaas.config}}, but I didn't create this user and Kafka starts correctly. What is the logic of this? was: I'm setting up kafka security with multiple listeners. Listener for broker works as plaintext and I don't want to use authentication for them. My cluster has configuration: {code:bash} listeners=BROKERS://:9091,CLIENTS://:9092,CLIENTS-NOSSL://:9093 inter.broker.listener.name=BROKERS sasl.enabled.mechanisms=SCRAM-SHA-256 listener.security.protocol.map=BROKERS:PLAINTEXT,CLIENTS:SASL_SSL,CLIENTS-NOSSL:SASL_PLAINTEXT {code} For clients, I want use SCRAM and only for them (not for brokers). But when I start broker, I see following message in log: {code:bash} ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer) java.lang.IllegalArgumentException: Could not find a 'KafkaServer' or 'clients.KafkaServer' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set {code} Why is this configuration so necessary, if I don't use authentication for brokers and SCRAM mechanism stores credentials in zookeeper? Which user do I need to add to {{sasl.jaas.config}}? I have created users who perform operations as consumers and producers. I didn't create any admin users because I don't need it. I didn't find any more detailed information in [docs|http://kafka.apache.org/documentation/#security] about why this is so necessary. > Security without JAAS configuration > ----------------------------------- > > Key: KAFKA-13055 > URL: https://issues.apache.org/jira/browse/KAFKA-13055 > Project: Kafka > Issue Type: Bug > Components: security > Affects Versions: 2.8.0 > Reporter: Alexey Kashavkin > Priority: Major > > I think that this isn't a bug, but I don't know what type to choose for this > issue. > I'm setting up kafka security with multiple listeners. Listener for broker > works as plaintext and I don't want to use authentication for them. My > cluster has configuration: > {code:bash} > listeners=BROKERS://:9091,CLIENTS://:9092,CLIENTS-NOSSL://:9093 > inter.broker.listener.name=BROKERS > sasl.enabled.mechanisms=SCRAM-SHA-256 > listener.security.protocol.map=BROKERS:PLAINTEXT,CLIENTS:SASL_SSL,CLIENTS-NOSSL:SASL_PLAINTEXT > {code} > For clients, I want use SCRAM and only for them (not for brokers). But when I > start broker, I see following message in log: > {code:bash} > ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to > shutdown (kafka.server.KafkaServer) > java.lang.IllegalArgumentException: Could not find a 'KafkaServer' or > 'clients.KafkaServer' entry in the JAAS configuration. System property > 'java.security.auth.login.config' is not set > {code} > Why is this configuration so necessary, if I don't use authentication for > brokers and SCRAM mechanism stores credentials in zookeeper? Which user do I > need to add to {{sasl.jaas.config}}? I have created users who perform > operations as consumers and producers. I didn't create any admin users > because I don't need it. I didn't find any more detailed information in > [docs|http://kafka.apache.org/documentation/#security] about why this is so > necessary. > For experiment: > {code:bash} > listener.name.clients.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule > required \ > username="alice" \ > password="alice-secret"; > -- > listener.name.clients-nossl.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule > required \ > username="alice" \ > password="alice-secret"; > {code} > I specified user alice in {{sasl.jaas.config}}, but I didn't create this user > and Kafka starts correctly. What is the logic of this? -- This message was sent by Atlassian Jira (v8.3.4#803005)