HI Martin, the owner of the file is 'adm.' I have switched to the user 'adm' and is executing everything under that credential. Which portion of Chris' instruction are you referring to?
thanks, On Tue, Mar 8, 2022 at 4:13 AM Martin Gainty <mgai...@hotmail.com> wrote: > Hi Mem > > UNIX / Linux Find File Owner Name - nixCraft (cyberciti.biz)< > https://www.cyberciti.biz/faq/unix-linux-find-file-owner-name/> > once you know who created your file > file:/app/data/cred/connector_credentials.prop > you will need to change credentials as the owner of the file > > then follow chris' instructions > > ________________________________ > From: Chris Egerton <fearthecel...@gmail.com> > Sent: Monday, March 7, 2022 4:48 PM > To: users@kafka.apache.org <users@kafka.apache.org> > Subject: Re: securing sasl/scram username and password in kafka connect > > It looks like the file config provider isn't actually set up on the Connect > worker. What does your Connect worker config look like (usually a file > called something like connect-distributed.properties)? Feel free to change > any sensitive values to a string like "<redacted>", but please don't remove > them entirely (they may be necessary for debugging). > > On Mon, Mar 7, 2022 at 4:39 PM Men Lim <zulu...@gmail.com> wrote: > > > Thanks for the response Chris. I went thru the setup again and it > appeared > > I might have had a typo somewhere last friday. Currently, I'm running > into > > a file permission issue. > > > > the file has the following permissions: > > > > -rw-r--r-- 1 adm admn 88 Mar 7 21:23 connector_credentials.properties > > > > I have tried changing the pwd to 700 but still the same error: > > > > Unable to connect: Access denied for user > > '${file:/app/data/cred/connector_credentials.prop'@'172.x.x.x' (using > > password: YES) > > > > On Mon, Mar 7, 2022 at 1:55 PM Chris Egerton <fearthecel...@gmail.com> > > wrote: > > > > > Hi Men, > > > > > > That config snippet has a small syntax error: all double quotes should > be > > > escaped. Assuming you tried something like this: > > > > > > "database.history.producer.sasl.jaas.config": > > > "org.apache.kafka.common.security.scram.ScramLoginModule required > > > username=\"${file:/path/file.pro:user\"} password=\"${file:/path/ > > file.pro > > > :password}\";" > > > > > > and still ran into issues, we'd probably need to see log files or, at > the > > > very least, the stack trace for the task from the REST API (if it > failed > > at > > > all) in order to follow up and provide more help. > > > > > > Cheers, > > > > > > Chris > > > > > > On Mon, Mar 7, 2022 at 3:26 PM Men Lim <zulu...@gmail.com> wrote: > > > > > > > Hi Chris, > > > > I was getting an unauthorized/authentication error message when I was > > > > trying it out last Friday. I tried looking for the exact message in > > the > > > > connect.log.* files but was not very successful. In my connector > > file, I > > > > have > > > > > > > > { > > > > "name":"blah", > > > > "config": { > > > > ... > > > > ... > > > > "database.history.producer.sasl.jaas.config": > > > > "org.apache.kafka.common.security.scram.ScramLoginModule required > > > > username=\"000\" password=\"000000\";", > > > > ... > > > > } > > > > } > > > > > > > > I changed the database.history.producer.sasl.jaas.config to: > > > > > > > > "database.history.producer.sasl.jaas.config": > > > > "org.apache.kafka.common.security.scram.ScramLoginModule required > > > > username="${file:/path/file.pro:user"} password="${file:/path/ > file.pro > > : > > > > password}";", > > > > > > > > On Mon, Mar 7, 2022 at 9:46 AM Chris Egerton < > fearthecel...@gmail.com> > > > > wrote: > > > > > > > > > Hi Men, > > > > > > > > > > The config provider mechanism should work for every property in a > > > > connector > > > > > config, and every property in a worker config except for the > > > plugin.path > > > > > property (see KAFKA-9845 [1]). You can also use it for only part > of a > > > > > single property, or even multiple parts, like in this example > > > (assuming a > > > > > config provider named "file"): > > > > > > > > > > > > > > sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule > > > > > required username="${file:/some/file.properties:username}" > > > > > password="${file:/some/file.properties:password}" > > > > > > > > > > What sorts of errors are you seeing when trying to use a config > > > provider > > > > > with sasl/scram credentials? > > > > > > > > > > [1] - https://issues.apache.org/jira/browse/KAFKA-9845 > > > > > > > > > > Cheers, > > > > > > > > > > Chris > > > > > > > > > > On Mon, Mar 7, 2022 at 10:35 AM Men Lim <zulu...@gmail.com> wrote: > > > > > > > > > > > Hi all, > > > > > > > > > > > > recently, I found out about > > > > > > > > > > > > config.providers=file > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider > > > > > > > > > > > > This works great to remove our embedded database password into an > > > > > external > > > > > > file. However, it does not work when I tried to do the same > thing > > > with > > > > > the > > > > > > sasl/scram username and password found in the distributor or > > > connector > > > > > file > > > > > > for kafka connect: > > > > > > > > > > > > > > > > > > sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule > > > > > > required \ > > > > > > username="000" password="some_password"; > > > > > > > > > > > > I was wondering if there's a way to secure these passwords as > well? > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > >