Hi,
We are using Flink 1.5.3 where the Kafka producer talks with a kerberized kafka
(kerberos only, no SSL).
It fails to connect to kafka with a root Exception:
javax.security.auth.callback.UnsupportedCallbackException: Could not login: the
client is being asked for a password, but the Kafka client code does not
currently support obtaining a password from the user.
We have the following configuration for kerberos in flink-conf.yaml:
# ----------------------------------------------
security.kerberos.login.use-ticket-cache: false
security.kerberos.login.keytab: /etc/krb5/flink.keytab
security.kerberos.login.principal: kafka/the.host.n...@example.com
security.kerberos.login.contexts: KafkaClient
# ----------------------------------------------
We use org.apache.flink.streaming.connectors.kafka.FlinkKafkaProducer011 with
the following properties for kerberos:
# ----------------------------------------------
security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
# ----------------------------------------------
>From job/task managers hosts we can login with the same user which runs flink
>processes, and successfully get a kerberos ticket:
# ----------------------------------------------
kubectl exec -it <manager> -- /bin/bash
$ kinit kafka/hdp-2641.fyre.ibm....@example.com -k -t /etc/krb5/flink.keytab
Done!
New ticket is stored in cache file /opt/flink/krb5cc_bai
$ klist
Credentials cache: /opt/flink/krb5cc_bai
Default principal: kafka/the.host.n...@example.com
Number of entries: 1
[1] Service principal: krbtgt/example....@example.com
Valid starting: Monday, September 10, 2018 at 4:58:29 PM
Expires: Tuesday, September 11, 2018 at 4:58:29 PM
# ----------------------------------------------
However,
When we check the content of the JAAS file generated in /temp, we see no
content apart the comments:
/tmp$ cat jaas-4651713797960840940.conf
/**
################################################################################
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
# We are using this file as an workaround for the Kafka and ZK SASL
implementation
# since they explicitly look for java.security.auth.login.config property
# Please do not edit/delete this file - See FLINK-3929
**/
/tmp$
- Could you confirm that we should have more in the generated JAAS file?
- We strongly suspect the UnsupportedCallbackException is caused by missing
content in the generated JAAS file.
Thanks,
Sebastien Pereira
