kafka开启kerberos,报错server not found in kerberos database

kafka开启了SASL(kerberos), server.properties配置为

sasl.enabled.mechanisms: GSSAPI
security.inter.broker.protocol: SASL_PLAINTEXT
ssl.mode.enable: false
allow.everyone.if.no.acl.found: true
sasl.port: 19092

服务端的jaas.conf内容为

KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
debug=false
keyTab="/opt/kafka/keytabs/kafka.keytab"
useTicketCache=false
storeKey=true
principal="kafka/[email protected]"
useKeyTab=true;
};

KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/opt/kafka/keytabs/kafka.keytab"
principal="kafka/[email protected]"
storeKey=true
debug=false
useTicketCache=false;
};

Client {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
principal="kafka/[email protected]"
useTicketCache=false
keyTab="/opt/kafka/keytabs/kafka.keytab"
debug=false
useKeyTab=true;
};

在客户端查询kafka集群中所有节点的API版本信息

kafka-broker-api-versions.sh --bootstrap-server  192.168.1.140:19092

报错

Request METADATA failed on brokers List

这是因为客户端没有开启SASL
编辑client.properties

sasl.mechanism=GSSAPI
security.protocol=SASL_PLAINTEXT 
sasl.kerberos.service.name=kafka
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
    useKeyTab=true \
    storeKey=true \
    keyTab="/opt/kafkaclient/keytabs/kafka.keytab" \
    principal="kafka/[email protected]" \
    renewTGT=true \
    useTicketCache=true;

运行命令

kafka-broker-api-versions.sh --bootstrap-server  192.168.1.140:19092 --command-config client.properties

报错

no vailid crdentials provided
server not found in kerberos database
identifier doesn't match expected value

查看kerberos的日志krb5kdc.log

LOOKING_UP_SERVER: [email protected] for kafka/[email protected],Server not found in Kerberos database

发现是服务名不对,正确的服务名是: kafka/[email protected]

修改client.properties

sasl.mechanism=GSSAPI
security.protocol=SASL_PLAINTEXT 
sasl.kerberos.service.name=kafka
kerberos.domain.name=hadoop.test.com
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
    useKeyTab=true \
    storeKey=true \
    keyTab="/opt/kafkaclient/keytabs/kafka.keytab" \
    principal="kafka/[email protected]" \
    renewTGT=true \
    useTicketCache=true;

再次运行

kafka-broker-api-versions.sh --bootstrap-server 192.168.1.140:19092 --command-config client.properties

可获得正确的结果

principal的主机名

查看kerberos的日志krb5kdc.log,如果报错

LOOKING_UP_SERVER: kafka/[email protected] for kafka/[email protected]

可知是反解析hosts里的ip得到hostname,从而构建service principal;
principal的格式为primary/hostname@REALM

因此,另一种解决方法是,修改/etc/hosts

192.168.1.140 hadoop.test.com