Kafka Security . INFO [SocketServer brokerId=0] Failed authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL handshake.) (org.apache.kafka.common.network.Selector)
Kuttaiah opened this issue · 2 comments
Kuttaiah commented
Hello,
We use confluentinc/cp-kafka and kafka version is 5.4.0-ccs.
My use case is to have inter broker communication via PLAINTEXT and producer/consumer via SASL/OAUTHBEARER, hence I have below configuration in my helm chart values;
"zookeeper.sasl.enabled": false
# Disable hostname verification, default is https.
"ssl.endpoint.identification.algorithm":
"inter.broker.listener.name": PLAINTEXT
"listener.name.external.sasl.enabled.mechanisms": OAUTHBEARER
"listener.name.external.oauthbearer.sasl.login.callback.handler.class": oracle.insight.common.kafka.security.OAuthBearerSignedLoginCallbackHandler
"listener.name.external.oauthbearer.sasl.server.callback.handler.class": oracle.insight.common.kafka.security.OAuthBearerSignedValidatorCallbackHandler
"listener.security.protocol.map": PLAINTEXT:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
"listener.name.external.oauthbearer.sasl.jaas.config": org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required signedLoginStringClaim_ocid=insightAdmin signedLoginKeyServiceClass=oracle.insight.common.security.SMSKeyService signedValidatorKeyServiceClass=oracle.insight.common.security.SMSKeyService;
"advertised.listeners": EXTERNAL://kafka-$((${KAFKA_BROKER_ID})).mydomain:$((${KAFKA_OUTSIDE_PORT} + ${KAFKA_BROKER_ID}))
With this, when kafka broker is provisioned in k8's I get below continuously. This is critical for our release in few days from now. Please help.
[2020-01-30 17:23:55,228] INFO [SocketServer brokerId=0] Failed authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL handshake.) (org.apache.kafka.common.network.Selector)
[2020-01-30 17:23:55,633] INFO [SocketServer brokerId=0] Failed authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL handshake.) (org.apache.kafka.common.network.Selector)
[2020-01-30 17:23:55,989] INFO [SocketServer brokerId=0] Failed authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL handshake.) (org.apache.kafka.common.network.Selector)
Thank you.
solsson commented
We use confluentinc/cp-kafka and kafka version is 5.4.0-ccs.
That doesn't sound at all like related to this repository.
Kuttaiah commented
Please do not close this jira. The configuration which is mentioned is in helm chart values.
configurationOverrides:
"offsets.topic.replication.factor": 1
"confluent.support.metrics.enable": false # Disables confluent metric submission
"auto.create.topics.enable": false
"delete.topic.enable": true
"unclean.leader.election.enable": false
"zookeeper.connect": zookeeper.zookeeper.svc.cluster.local:2181
**"zookeeper.sasl.enabled": false
# Disable hostname verification, default is https.
"ssl.endpoint.identification.algorithm":
"inter.broker.listener.name": PLAINTEXT
"listener.name.external.sasl.enabled.mechanisms": OAUTHBEARER
"listener.name.external.oauthbearer.sasl.login.callback.handler.class": oracle.insight.common.kafka.security.OAuthBearerSignedLoginCallbackHandler
"listener.name.external.oauthbearer.sasl.server.callback.handler.class": oracle.insight.common.kafka.security.OAuthBearerSignedValidatorCallbackHandler
"listener.security.protocol.map": PLAINTEXT:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
"listener.name.external.oauthbearer.sasl.jaas.config": org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required signedLoginStringClaim_ocid=insightAdmin signedLoginKeyServiceClass=oracle.insight.common.security.SMSKeyService signedValidatorKeyServiceClass=oracle.insight.common.security.SMSKeyService;
"advertised.listeners": EXTERNAL://kafka-$((${KAFKA_BROKER_ID})).mydomain:$((${KAFKA_OUTSIDE_PORT} + ${KAFKA_BROKER_ID}))**
My basic question is even though i set
` "inter.broker.listener.name": PLAINTEXT
After provision why does broker communicates via SASL ?
`