Tyler Monahan created KAFKA-7416:
------------------------------------
Summary: kerberos credentials not being refreshed
Key: KAFKA-7416
URL: https://issues.apache.org/jira/browse/KAFKA-7416
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 1.1.0
Environment: ubnutu 14, aws
Reporter: Tyler Monahan
My setup uses kerberos for auth between consumers/producers/brokers in aws.
When an instances goes down in aws a new one spins back up to replace the old
one and reuses the old kerberos dns name and kafka id. I am running into an
issue where the consumers/producers/brokers are caching the credentials for the
old server and they continue to use them to login to the new server which fails
since it has a different kerberos key. I have not found a way to make kafka
clear out the login credentials so it can login to the new node.
I had hoped I could update the jaas config to use credentials that were not
stored in java but it seems like storeKey=true is required to work so I can't
do that. My other hope was that I could modify the /etc/krb5.conf config to set
a low life time on the tickets but kafka doesn't seem to honor that. If there
was some way to configure java to expire the stored credentials periodically
that might work.
This is the error I get initially when a node dies and a new one comes up from
the kafka controller which tries to connect to it. Restarting the kafka brokers
causes it to no longer have this error.
{code:java}
[RequestSendThread controllerId=3] Controller 3's connection to broker
int-kafka-a-1.int.skytouch.io:9092 (id: 1 rack: null) was unsuccessful
(kafka.controller.RequestSendThread)
org.apache.kafka.common.errors.SaslAuthenticationException: Authentication
failed due to invalid credentials with SASL mechanism GSSAPI
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
