A small correction, I'm not trying to enable mTLS, just a simple
authentication(Digest or Plain) is enough,
Sharing the jaas files and config files,
kafka_server_jaas.conf
> admin.KafkaServer{
>
> org.apache.kafka.common.security.plain.PlainLoginModule required
>
> username="USERNAME"
>
> password="PASSWORD";
>
> };
>
> KafkaServer{
>
> org.apache.kafka.common.security.plain.PlainLoginModule required
>
> username="USERNAME"
>
> password="PASSWORD";
>
> };
>
> Client{
>
> org.apache.zookeeper.server.auth.DigestLoginModule required
>
> username="super"
>
> password="adminsecret";
>
> };
>
server properties
> zookeeper.sasl.client=false
java.security.auth.login.config=$base_dir/../config/kafka_server_jaas.conf
zookeeper.connection.timeout.ms=6000
zookeeper.sync.time.ms=2000
zookeeper.set.acl=true
zk_server_jaas.conf
> QuorumServer{
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_test="test";
> };
> QuorumLearner{
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="test"
> password="test";
> };
> Server{
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="super"
> password="adminsecret";
};
zoo.cfg
>
> zookeeper.authProvider.1=org.apache.zookeeper.server.auth.DigestAuthenticationProvider
env
> SERVER_JVMFLAGS="$SERVER_JVMFLAGS
> -Djava.security.auth.login.config=$ZOOCFGDIR/zk_server_jaas.conf"
>
On Fri, Nov 10, 2023 at 7:03 PM Alex Brekken <brek...@gmail.com> wrote:
> Ok, so you're trying to enable both SASL authentication (digest) and TLS,
> using mTLS for Zookeeper? I'm just trying to understand the bigger
> picture. The error you're getting regarding the Sasl token sounds like
> either the jaas config on the Kafka broker side is wrong/missing, or the
> jaas config on the ZK side is wrong/missing. (you need both - in this case
> the broker is the "client" and ZK is the "server"). Are you able to share
> the jaas config you're using for both Kafka and ZK? Without seeing that
> it's tough to know. Also, to make troubleshooting easier you might want to
> leave TLS out of it for now and get SASL working first. (or vice-versa)
>
>
>
> On Thu, Nov 9, 2023 at 11:26 PM arjun s v <arjun.cs...@gmail.com> wrote:
>
> > "Digest-MD5 is SASL authentication, so not sure what you mean here."
> > If I set zookeeper.sasl.client=true, zookeeper expects a "saslToken" and
> > throws the following error,
> >
> > "SASL authentication failed using login context 'Client' with exception:
> > {}" "javax.security.sasl.SaslException: Error in authenticating with a
> > Zookeeper Quorum member: the quorum member's saslToken is null.
> >
> > at
> >
> >
> org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:312)
> >
> > at
> >
> >
> org.apache.zookeeper.client.ZooKeeperSaslClient.respondToServer(ZooKeeperSaslClient.java:275)
> >
> > at
> >
> >
> org.apache.zookeeper.ClientCnxn$SendThread.readResponse(ClientCnxn.java:882)
> >
> > at
> >
> org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:103)
> >
> > at
> >
> >
> org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:365)
> >
> > at
> > org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1223)
> >
> >
> > "Hmm, that config shouldn't have anything to do with TLS. You can set
> ACL's
> >
> > with or without TLS encryption. Were you getting an error?"
> >
> >
> > "Fatal error during KafkaServer startup. Prepare to shutdown"
> > "java.lang.SecurityException: zookeeper.set.acl is true, but ZooKeeper
> > client TLS configuration identifying at least
> > kafka.server.KafkaConfig$@7b22ec89.ZkSslClientEnableProp,
> > kafka.server.KafkaConfig$@7b22ec89.ZkClientCnxnSocketProp, and
> > kafka.server.KafkaConfig$@7b22ec89.ZkSslKeyStoreLocationProp was not
> > present and the verification of the JAAS login file failed
> > [java.security.auth.login.config=./../config/kafka_server_jaas.conf,
> > zookeeper.sasl.client=false, zookeeper.sasl.clientconfig=default:Client]
> >
> > at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:445)
> >
> > at kafka.server.KafkaServer.startup(KafkaServer.scala:191)
> >
> > at kafka.Kafka$.main(Kafka.scala:109)
> >
> > at kafka.Kafka.main(Kafka.scala)
> >
> >
> > "This was the 2nd result in a google search:
> > https://docs.confluent.io/platform/current/security/zk-security.html";
> >
> > FYKI, I've googled, asked chat gpt, surfed over many zookeeper and kafka
> > docs and blog,
> > I remember trying the doc you suggested here about 10 days back in the
> > initial days of this task!
> > About the doc you suggested,
> > I cannot configure SSL as I already mentioned, If I skip ssl config part
> > from your suggested doc and tried Digest-MD5, I come up "saslToken
> missing"
> > exception which I mentioned above!
> > I don't really understand what saslToken is and how to make it get
> > generated for Digest auth!
> > Please assist!
> >
> > On Thu, Nov 9, 2023 at 7:15 PM Alex Craig <alexcrai...@gmail.com> wrote:
> >
> > > " I couldn't find any doc by kafka to enable Digest-MD5
> authentication."
> > > This was the 2nd result in a google search:
> > > https://docs.confluent.io/platform/current/security/zk-security.html
> > >
> > > " I don't want to enable SASL."
> > > Digest-MD5 is SASL authentication, so not sure what you mean here.
> > >
> > > " If I set zookeeper.set.acl=true, I'm forced to configure TLS."
> > > Hmm, that config shouldn't have anything to do with TLS. You can set
> > ACL's
> > > with or without TLS encryption. Were you getting an error?
> > >
> > > On Wed, Nov 8, 2023 at 11:35 PM arjun s v <arjun.cs...@gmail.com>
> wrote:
> > >
> > > > Team,
> > > >
> > > > Please consider this as high priority, we need to enable
> authentication
> > > > ASAP. Please assist.
> > > > On Tue, Nov 7, 2023 at 4:38 PM arjun s v <arjun.cs...@gmail.com>
> > wrote:
> > > >
> > > > > Hi team,
> > > > >
> > > > > I'm trying to configure *Digest-MD5* authentication between kafka
> and
> > > > > zookeeper.
> > > > > Also I need to set ACL with digest scheme and credentials.
> > > > > I don't want to enable SASL.
> > > > > I tried to follow this
> > > > > <
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > > >
> > > > doc
> > > > > from zookeeper,
> > > > >
> > > > > - If I configured a jaas file, I have to set
> > > > zookeeper.sasl.client=true(if
> > > > > not kafka throws error from JaasUtils) which enables sasl
> > > > authentication.
> > > > > - If I set zookeeper.set.acl=true, I'm forced to configure TLS.
> > > > >
> > > > > I couldn't find any doc by kafka to enable Digest-MD5
> authentication.
> > > > > I cannot configure kerberos or TLS, just a Digest-MD5 is sufficient
> > for
> > > > my
> > > > > usecase.
> > > > > Please let me know if there are any docs to enable Digest-MD5 auth
> > > > between
> > > > > kafka and zookeeper.
> > > > >
> > > > > Regards,
> > > > > Arjun S V
> > > > >
> > > >
> > >
> >
>
