Re: no luck with kafka-connect on secure cluster
ah okay that makes sense. also explains why for a distributed source i actually has to set it twice: security.protocol=SASL_PLAINTEXT producer.security.protocol=SASL_PLAINTEXT if anyone runs into this issue and just wants it to work... this is what is in my configs now: security.protocol=SASL_PLAINTEXT sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka consumer.security.protocol=SASL_PLAINTEXT consumer.sasl.enabled.mechanisms=GSSAPI consumer.sasl.kerberos.service.name=kafka producer.security.protocol=SASL_PLAINTEXT producer.sasl.enabled.mechanisms=GSSAPI producer.sasl.kerberos.service.name=kafka On Sat, Nov 26, 2016 at 5:03 PM, Ewen Cheslack-Postava wrote: > Koert, > > I think what you're seeing is that there are actually 3 different ways > Connect can interact with Kafka. For both standalone and distributed mode, > you have producers and consumers that are part of the source and sink > connector implementations, respectively. Security for these are configured > using the producer. and consumer. prefixed configurations in the worker > config. In distributed mode, Connect also leverages Kafka's group > membership protocol to coordinate the workers and distribute work between > them. The security settings for these are picked up in the distributed > worker config without any prefixes. > > For more info on configuring security, you can see Confluent's docs on that > here: http://docs.confluent.io/3.1.1/connect/security.html#security > > We realize having to specify this multiple times is annoying if you want to > use the same set of credentials, but for other configurations it is > important to keep the configs for worker/producer/consumer isolated (such > as interceptors, which use the same config name but different interfaces > for ProducerInterceptor vs ConsumerInterceptor). For configs we know might > be shared, we'd like to find a way to make this configuration simpler. > > -Ewen > > On Fri, Nov 25, 2016 at 10:51 AM, Koert Kuipers wrote: > > > well it seems if you run connect in distributed mode... its again > > security.protocol=SASL_PLAINTEXT and not producer.security.protocol= > > SASL_PLAINTEXT > > > > dont ask me why > > > > On Thu, Nov 24, 2016 at 10:40 PM, Koert Kuipers > wrote: > > > > > for anyone that runs into this. turns out i also had to set: > > > producer.security.protocol=SASL_PLAINTEXT > > > producer.sasl.kerberos.service.name=kafka > > > > > > > > > On Thu, Nov 24, 2016 at 8:54 PM, Koert Kuipers > > wrote: > > > > > >> i have a secure kafka 0.10.1 cluster using SASL_PLAINTEXT > > >> > > >> the kafka servers seem fine, and i can start console-consumer and > > >> console-producer and i see the message i type in the producer pop up > in > > the > > >> consumer. no problems so far. > > >> > > >> for example to start console-producer: > > >> $ kinit > > >> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas. > > conf" > > >> $ bin/kafka-console-producer.sh --producer.config > > >> config/producer.properties --topic test --broker-list > > >> SASL_PLAINTEXT://somenode:9092 > > >> > > >> but i am having no luck whatsoever with kafka-connect. i tried this: > > >> $ kinit > > >> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas. > > conf" > > >> $ bin/connect-standalone.sh config/connect-standalone.properties > > >> config/connect-console-source.properties > > >> > > >> my config/connect-console-source.properties is unchanged. my > > >> config/connect-standalone has: > > >> > > >> bootstrap.servers=SASL_PLAINTEXT://somenode:9092 > > >> security.protocol=SASL_PLAINTEXT > > >> sasl.kerberos.service.name=kafka > > >> key.converter=org.apache.kafka.connect.json.JsonConverter > > >> value.converter=org.apache.kafka.connect.json.JsonConverter > > >> internal.key.converter=org.apache.kafka.connect.json.JsonConverter > > >> internal.value.converter=org.apache.kafka.connect.json.JsonConverter > > >> internal.key.converter.schemas.enable=false > > >> internal.value.converter.schemas.enable=false > > >> offset.storage.file.filename=/tmp/connect.offsets > > >> offset.flush.interval.ms=1 > > >> > > >> i get these logs in an infinite loop: > > >> [2016-11-24 20:47:18,528] DEBUG Node -1 disconnected. > > >> (org.apache.kafka.clients.NetworkClient:463) > > >> [2016-11-24 20:47:18,528] WARN Bootstrap broker somenode:9092 > > >> disconnected (org.apache.kafka.clients.NetworkClient:568) > > >> [2016-11-24 20:47:18,528] DEBUG Give up sending metadata request since > > no > > >> node is available (org.apache.kafka.clients.NetworkClient:625) > > >> [2016-11-24 20:47:18,629] DEBUG Initialize connection to node -1 for > > >> sending metadata request (org.apache.kafka.clients.NetworkClient:644) > > >> [2016-11-24 20:47:18,629] DEBUG Initiating connection to node -1 at > > >> somenode:9092. (org.apache.kafka.clients.NetworkClient:496) > > >> [2016-11-24 20:47:18,631] DEBUG Created socket with SO_RCVBUF = 32768, > > >> SO_SNDBUF = 124928, SO_TIMEOUT = 0 to node -1 >
Re: no luck with kafka-connect on secure cluster
Koert,
I think what you're seeing is that there are actually 3 different ways
Connect can interact with Kafka. For both standalone and distributed mode,
you have producers and consumers that are part of the source and sink
connector implementations, respectively. Security for these are configured
using the producer. and consumer. prefixed configurations in the worker
config. In distributed mode, Connect also leverages Kafka's group
membership protocol to coordinate the workers and distribute work between
them. The security settings for these are picked up in the distributed
worker config without any prefixes.
For more info on configuring security, you can see Confluent's docs on that
here: http://docs.confluent.io/3.1.1/connect/security.html#security
We realize having to specify this multiple times is annoying if you want to
use the same set of credentials, but for other configurations it is
important to keep the configs for worker/producer/consumer isolated (such
as interceptors, which use the same config name but different interfaces
for ProducerInterceptor vs ConsumerInterceptor). For configs we know might
be shared, we'd like to find a way to make this configuration simpler.
-Ewen
On Fri, Nov 25, 2016 at 10:51 AM, Koert Kuipers wrote:
> well it seems if you run connect in distributed mode... its again
> security.protocol=SASL_PLAINTEXT and not producer.security.protocol=
> SASL_PLAINTEXT
>
> dont ask me why
>
> On Thu, Nov 24, 2016 at 10:40 PM, Koert Kuipers wrote:
>
> > for anyone that runs into this. turns out i also had to set:
> > producer.security.protocol=SASL_PLAINTEXT
> > producer.sasl.kerberos.service.name=kafka
> >
> >
> > On Thu, Nov 24, 2016 at 8:54 PM, Koert Kuipers
> wrote:
> >
> >> i have a secure kafka 0.10.1 cluster using SASL_PLAINTEXT
> >>
> >> the kafka servers seem fine, and i can start console-consumer and
> >> console-producer and i see the message i type in the producer pop up in
> the
> >> consumer. no problems so far.
> >>
> >> for example to start console-producer:
> >> $ kinit
> >> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.
> conf"
> >> $ bin/kafka-console-producer.sh --producer.config
> >> config/producer.properties --topic test --broker-list
> >> SASL_PLAINTEXT://somenode:9092
> >>
> >> but i am having no luck whatsoever with kafka-connect. i tried this:
> >> $ kinit
> >> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.
> conf"
> >> $ bin/connect-standalone.sh config/connect-standalone.properties
> >> config/connect-console-source.properties
> >>
> >> my config/connect-console-source.properties is unchanged. my
> >> config/connect-standalone has:
> >>
> >> bootstrap.servers=SASL_PLAINTEXT://somenode:9092
> >> security.protocol=SASL_PLAINTEXT
> >> sasl.kerberos.service.name=kafka
> >> key.converter=org.apache.kafka.connect.json.JsonConverter
> >> value.converter=org.apache.kafka.connect.json.JsonConverter
> >> internal.key.converter=org.apache.kafka.connect.json.JsonConverter
> >> internal.value.converter=org.apache.kafka.connect.json.JsonConverter
> >> internal.key.converter.schemas.enable=false
> >> internal.value.converter.schemas.enable=false
> >> offset.storage.file.filename=/tmp/connect.offsets
> >> offset.flush.interval.ms=1
> >>
> >> i get these logs in an infinite loop:
> >> [2016-11-24 20:47:18,528] DEBUG Node -1 disconnected.
> >> (org.apache.kafka.clients.NetworkClient:463)
> >> [2016-11-24 20:47:18,528] WARN Bootstrap broker somenode:9092
> >> disconnected (org.apache.kafka.clients.NetworkClient:568)
> >> [2016-11-24 20:47:18,528] DEBUG Give up sending metadata request since
> no
> >> node is available (org.apache.kafka.clients.NetworkClient:625)
> >> [2016-11-24 20:47:18,629] DEBUG Initialize connection to node -1 for
> >> sending metadata request (org.apache.kafka.clients.NetworkClient:644)
> >> [2016-11-24 20:47:18,629] DEBUG Initiating connection to node -1 at
> >> somenode:9092. (org.apache.kafka.clients.NetworkClient:496)
> >> [2016-11-24 20:47:18,631] DEBUG Created socket with SO_RCVBUF = 32768,
> >> SO_SNDBUF = 124928, SO_TIMEOUT = 0 to node -1
> (org.apache.kafka.common.netwo
> >> rk.Selector:327)
> >> [2016-11-24 20:47:18,631] DEBUG Completed connection to node -1
> >> (org.apache.kafka.clients.NetworkClient:476)
> >> [2016-11-24 20:47:18,730] DEBUG Sending metadata request
> >> {topics=[connect-test]} to node -1 (org.apache.kafka.clients.Netw
> >> orkClient:640)
> >> [2016-11-24 20:47:18,730] DEBUG Connection with somenode/192.168.1.54
> >> disconnected (org.apache.kafka.common.network.Selector:365)
> >> java.io.EOFException
> >> at org.apache.kafka.common.network.NetworkReceive.readFromReada
> >> bleChannel(NetworkReceive.java:83)
> >> at org.apache.kafka.common.network.NetworkReceive.readFrom(
> >> NetworkReceive.java:71)
> >> at org.apache.kafka.common.network.KafkaChannel.receive(KafkaCh
> >> annel.java:154)
> >> at org.apache.kafka.common.network.KafkaChanne
Re: no luck with kafka-connect on secure cluster
well it seems if you run connect in distributed mode... its again
security.protocol=SASL_PLAINTEXT and not producer.security.protocol=
SASL_PLAINTEXT
dont ask me why
On Thu, Nov 24, 2016 at 10:40 PM, Koert Kuipers wrote:
> for anyone that runs into this. turns out i also had to set:
> producer.security.protocol=SASL_PLAINTEXT
> producer.sasl.kerberos.service.name=kafka
>
>
> On Thu, Nov 24, 2016 at 8:54 PM, Koert Kuipers wrote:
>
>> i have a secure kafka 0.10.1 cluster using SASL_PLAINTEXT
>>
>> the kafka servers seem fine, and i can start console-consumer and
>> console-producer and i see the message i type in the producer pop up in the
>> consumer. no problems so far.
>>
>> for example to start console-producer:
>> $ kinit
>> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.conf"
>> $ bin/kafka-console-producer.sh --producer.config
>> config/producer.properties --topic test --broker-list
>> SASL_PLAINTEXT://somenode:9092
>>
>> but i am having no luck whatsoever with kafka-connect. i tried this:
>> $ kinit
>> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.conf"
>> $ bin/connect-standalone.sh config/connect-standalone.properties
>> config/connect-console-source.properties
>>
>> my config/connect-console-source.properties is unchanged. my
>> config/connect-standalone has:
>>
>> bootstrap.servers=SASL_PLAINTEXT://somenode:9092
>> security.protocol=SASL_PLAINTEXT
>> sasl.kerberos.service.name=kafka
>> key.converter=org.apache.kafka.connect.json.JsonConverter
>> value.converter=org.apache.kafka.connect.json.JsonConverter
>> internal.key.converter=org.apache.kafka.connect.json.JsonConverter
>> internal.value.converter=org.apache.kafka.connect.json.JsonConverter
>> internal.key.converter.schemas.enable=false
>> internal.value.converter.schemas.enable=false
>> offset.storage.file.filename=/tmp/connect.offsets
>> offset.flush.interval.ms=1
>>
>> i get these logs in an infinite loop:
>> [2016-11-24 20:47:18,528] DEBUG Node -1 disconnected.
>> (org.apache.kafka.clients.NetworkClient:463)
>> [2016-11-24 20:47:18,528] WARN Bootstrap broker somenode:9092
>> disconnected (org.apache.kafka.clients.NetworkClient:568)
>> [2016-11-24 20:47:18,528] DEBUG Give up sending metadata request since no
>> node is available (org.apache.kafka.clients.NetworkClient:625)
>> [2016-11-24 20:47:18,629] DEBUG Initialize connection to node -1 for
>> sending metadata request (org.apache.kafka.clients.NetworkClient:644)
>> [2016-11-24 20:47:18,629] DEBUG Initiating connection to node -1 at
>> somenode:9092. (org.apache.kafka.clients.NetworkClient:496)
>> [2016-11-24 20:47:18,631] DEBUG Created socket with SO_RCVBUF = 32768,
>> SO_SNDBUF = 124928, SO_TIMEOUT = 0 to node -1 (org.apache.kafka.common.netwo
>> rk.Selector:327)
>> [2016-11-24 20:47:18,631] DEBUG Completed connection to node -1
>> (org.apache.kafka.clients.NetworkClient:476)
>> [2016-11-24 20:47:18,730] DEBUG Sending metadata request
>> {topics=[connect-test]} to node -1 (org.apache.kafka.clients.Netw
>> orkClient:640)
>> [2016-11-24 20:47:18,730] DEBUG Connection with somenode/192.168.1.54
>> disconnected (org.apache.kafka.common.network.Selector:365)
>> java.io.EOFException
>> at org.apache.kafka.common.network.NetworkReceive.readFromReada
>> bleChannel(NetworkReceive.java:83)
>> at org.apache.kafka.common.network.NetworkReceive.readFrom(
>> NetworkReceive.java:71)
>> at org.apache.kafka.common.network.KafkaChannel.receive(KafkaCh
>> annel.java:154)
>> at org.apache.kafka.common.network.KafkaChannel.read(KafkaChann
>> el.java:135)
>> at org.apache.kafka.common.network.Selector.pollSelectionKeys(
>> Selector.java:343)
>> at org.apache.kafka.common.network.Selector.poll(Selector.java:
>> 291)
>> at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.
>> java:260)
>> at org.apache.kafka.clients.producer.internals.Sender.run(Sende
>> r.java:236)
>> at org.apache.kafka.clients.producer.internals.Sender.run(Sende
>> r.java:135)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> i tried different kafka-connect connectors, same result.
>>
>> any ideas? thanks!
>>
>
>
Re: no luck with kafka-connect on secure cluster
for anyone that runs into this. turns out i also had to set:
producer.security.protocol=SASL_PLAINTEXT
producer.sasl.kerberos.service.name=kafka
On Thu, Nov 24, 2016 at 8:54 PM, Koert Kuipers wrote:
> i have a secure kafka 0.10.1 cluster using SASL_PLAINTEXT
>
> the kafka servers seem fine, and i can start console-consumer and
> console-producer and i see the message i type in the producer pop up in the
> consumer. no problems so far.
>
> for example to start console-producer:
> $ kinit
> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.conf"
> $ bin/kafka-console-producer.sh --producer.config
> config/producer.properties --topic test --broker-list
> SASL_PLAINTEXT://somenode:9092
>
> but i am having no luck whatsoever with kafka-connect. i tried this:
> $ kinit
> $ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.conf"
> $ bin/connect-standalone.sh config/connect-standalone.properties
> config/connect-console-source.properties
>
> my config/connect-console-source.properties is unchanged. my
> config/connect-standalone has:
>
> bootstrap.servers=SASL_PLAINTEXT://somenode:9092
> security.protocol=SASL_PLAINTEXT
> sasl.kerberos.service.name=kafka
> key.converter=org.apache.kafka.connect.json.JsonConverter
> value.converter=org.apache.kafka.connect.json.JsonConverter
> internal.key.converter=org.apache.kafka.connect.json.JsonConverter
> internal.value.converter=org.apache.kafka.connect.json.JsonConverter
> internal.key.converter.schemas.enable=false
> internal.value.converter.schemas.enable=false
> offset.storage.file.filename=/tmp/connect.offsets
> offset.flush.interval.ms=1
>
> i get these logs in an infinite loop:
> [2016-11-24 20:47:18,528] DEBUG Node -1 disconnected.
> (org.apache.kafka.clients.NetworkClient:463)
> [2016-11-24 20:47:18,528] WARN Bootstrap broker somenode:9092 disconnected
> (org.apache.kafka.clients.NetworkClient:568)
> [2016-11-24 20:47:18,528] DEBUG Give up sending metadata request since no
> node is available (org.apache.kafka.clients.NetworkClient:625)
> [2016-11-24 20:47:18,629] DEBUG Initialize connection to node -1 for
> sending metadata request (org.apache.kafka.clients.NetworkClient:644)
> [2016-11-24 20:47:18,629] DEBUG Initiating connection to node -1 at
> somenode:9092. (org.apache.kafka.clients.NetworkClient:496)
> [2016-11-24 20:47:18,631] DEBUG Created socket with SO_RCVBUF = 32768,
> SO_SNDBUF = 124928, SO_TIMEOUT = 0 to node -1 (org.apache.kafka.common.
> network.Selector:327)
> [2016-11-24 20:47:18,631] DEBUG Completed connection to node -1
> (org.apache.kafka.clients.NetworkClient:476)
> [2016-11-24 20:47:18,730] DEBUG Sending metadata request
> {topics=[connect-test]} to node -1 (org.apache.kafka.clients.
> NetworkClient:640)
> [2016-11-24 20:47:18,730] DEBUG Connection with somenode/192.168.1.54
> disconnected (org.apache.kafka.common.network.Selector:365)
> java.io.EOFException
> at org.apache.kafka.common.network.NetworkReceive.
> readFromReadableChannel(NetworkReceive.java:83)
> at org.apache.kafka.common.network.NetworkReceive.
> readFrom(NetworkReceive.java:71)
> at org.apache.kafka.common.network.KafkaChannel.receive(
> KafkaChannel.java:154)
> at org.apache.kafka.common.network.KafkaChannel.read(
> KafkaChannel.java:135)
> at org.apache.kafka.common.network.Selector.
> pollSelectionKeys(Selector.java:343)
> at org.apache.kafka.common.network.Selector.poll(
> Selector.java:291)
> at org.apache.kafka.clients.NetworkClient.poll(
> NetworkClient.java:260)
> at org.apache.kafka.clients.producer.internals.Sender.run(
> Sender.java:236)
> at org.apache.kafka.clients.producer.internals.Sender.run(
> Sender.java:135)
> at java.lang.Thread.run(Thread.java:745)
>
> i tried different kafka-connect connectors, same result.
>
> any ideas? thanks!
>
no luck with kafka-connect on secure cluster
i have a secure kafka 0.10.1 cluster using SASL_PLAINTEXT
the kafka servers seem fine, and i can start console-consumer and
console-producer and i see the message i type in the producer pop up in the
consumer. no problems so far.
for example to start console-producer:
$ kinit
$ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.conf"
$ bin/kafka-console-producer.sh --producer.config
config/producer.properties --topic test --broker-list
SASL_PLAINTEXT://somenode:9092
but i am having no luck whatsoever with kafka-connect. i tried this:
$ kinit
$ export KAFKA_OPTS="-Djava.security.auth.login.config=config/jaas.conf"
$ bin/connect-standalone.sh config/connect-standalone.properties
config/connect-console-source.properties
my config/connect-console-source.properties is unchanged. my
config/connect-standalone has:
bootstrap.servers=SASL_PLAINTEXT://somenode:9092
security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
key.converter=org.apache.kafka.connect.json.JsonConverter
value.converter=org.apache.kafka.connect.json.JsonConverter
internal.key.converter=org.apache.kafka.connect.json.JsonConverter
internal.value.converter=org.apache.kafka.connect.json.JsonConverter
internal.key.converter.schemas.enable=false
internal.value.converter.schemas.enable=false
offset.storage.file.filename=/tmp/connect.offsets
offset.flush.interval.ms=1
i get these logs in an infinite loop:
[2016-11-24 20:47:18,528] DEBUG Node -1 disconnected.
(org.apache.kafka.clients.NetworkClient:463)
[2016-11-24 20:47:18,528] WARN Bootstrap broker somenode:9092 disconnected
(org.apache.kafka.clients.NetworkClient:568)
[2016-11-24 20:47:18,528] DEBUG Give up sending metadata request since no
node is available (org.apache.kafka.clients.NetworkClient:625)
[2016-11-24 20:47:18,629] DEBUG Initialize connection to node -1 for
sending metadata request (org.apache.kafka.clients.NetworkClient:644)
[2016-11-24 20:47:18,629] DEBUG Initiating connection to node -1 at
somenode:9092. (org.apache.kafka.clients.NetworkClient:496)
[2016-11-24 20:47:18,631] DEBUG Created socket with SO_RCVBUF = 32768,
SO_SNDBUF = 124928, SO_TIMEOUT = 0 to node -1
(org.apache.kafka.common.network.Selector:327)
[2016-11-24 20:47:18,631] DEBUG Completed connection to node -1
(org.apache.kafka.clients.NetworkClient:476)
[2016-11-24 20:47:18,730] DEBUG Sending metadata request
{topics=[connect-test]} to node -1
(org.apache.kafka.clients.NetworkClient:640)
[2016-11-24 20:47:18,730] DEBUG Connection with somenode/192.168.1.54
disconnected (org.apache.kafka.common.network.Selector:365)
java.io.EOFException
at
org.apache.kafka.common.network.NetworkReceive.readFromReadableChannel(NetworkReceive.java:83)
at
org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:71)
at
org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:154)
at
org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:135)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:343)
at org.apache.kafka.common.network.Selector.poll(Selector.java:291)
at
org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:260)
at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:236)
at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:135)
at java.lang.Thread.run(Thread.java:745)
i tried different kafka-connect connectors, same result.
any ideas? thanks!
