[jira] [Created] (KAFKA-7274) Incorrect subject credential used in inter-broker communication

Thu, 09 Aug 2018 21:28:15 -0700 

TAO XIAO created KAFKA-7274:
-------------------------------

             Summary: Incorrect subject credential used in inter-broker 
communication
                 Key: KAFKA-7274
                 URL: https://issues.apache.org/jira/browse/KAFKA-7274
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 2.0.0, 1.1.1, 1.1.0, 1.0.2, 1.0.1, 1.0.0
            Reporter: TAO XIAO


We configured one broker setup to enable multiple SASL mechanisms using JAAS 
config file but we failed to start up the broker.

 

Here is security section of server.properties

 

{{listeners=SASL_PLAINTEXT://:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol=PLAIN}}{{}}

 

JAAS file

 
{noformat}
sasl_plaintext.KafkaServer {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="admin"
  password="admin-secret"
  user_admin="admin-secret"
  user_alice="alice-secret";

  org.apache.kafka.common.security.scram.ScramLoginModule required
  username="admin1"
  password="admin-secret";
};{noformat}
 

Exception we got

 
{noformat}
[2018-08-10 12:12:13,070] ERROR [Controller id=0, targetBrokerId=0] Connection 
to node 0 failed authentication due to: Authentication failed: Invalid username 
or password (org.apache.kafka.clients.NetworkClient){noformat}
 

If we changed to use broker configuration property we can start broker 
successfully

 
{noformat}
listeners=SASL_PLAINTEXT://:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol=PLAIN
listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule
 required username="admin" password="admin-secret" user_admin="admin-secret" 
user_alice="alice-secret";
listener.name.sasl_plaintext.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
 required username="admin1" password="admin-secret";{noformat}
 

I believe this issue is caused by Kafka assigning all login modules to each 
defined mechanism when using JAAS file which results in Login class to add both 
username defined in each login module to the same subject

[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java#L101]

 

[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L63]

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to