Kerberos authentication failure

Question

Kerberos authentication failure

pthalasta opened this issue 3 years ago · 8 comments

I'm trying to write data to Kafka broker authenticated with Kerberos with GSSAPI and SASL_SSL. When I start the logstash agent it errors out with Received Timeout from Kerberos but when i use kinit to get the ticket from kerberos, it works perfectly fine without any issues.

Logstash Config:

     input {
      file {
        path => "<path of log file to monitor>"
      }
    }
    output {
      kafka {
            topic_id => "<topic>"
            bootstrap_servers => "broker-list"
            compression_type => "snappy"
            jaas_path => "<path/to/jaas/config/file>"
            kerberos_config => "/etc/krb5.conf"
            sasl_kerberos_service_name => "kafka"
            security_protocol => "SASL_SSL"
            client_id => "<unique identifier of client>"
            ssl_truststore_location => "<ssl truststore in jks format>"
            ssl_truststore_password => "<password for truststore>"
        }
    }

JAAS config

KafkaClient {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     keyTab="logstash.service.keytab"
     storeKey=true
     useTicketCache=false
     serviceName="kafka"
     debug=true
     principal="logstash/domain@REALM";
    }

Version: 7.10.1
Java Version: openjdk version "11.0.9.1" 2020-11-04
Operating System: Ubuntu 18.04.5 LTS

How do I fix this issue?

Answer 1 · 2021-02-04T00:09:20.000Z

I have nearly the same behaviour with the use of a schema registry with Avro messages.
Connection to schema registry ends with a 401 error, due to the fact that connectivity checks are done in common.rb.

When I comment the check_for_schema_registry_connectivity_and_subjects method, the connection is ok:

def check_schema_registry_parameters
  if @schema_registry_url
    check_for_schema_registry_conflicts
    @schema_registry_proxy_host, @schema_registry_proxy_port  = split_proxy_into_host_and_port(schema_registry_proxy)
    check_for_key_and_secret
    # check_for_schema_registry_connectivity_and_subjects
  end
end

Is it because connectivity check is done without Kerkeros authentication?

Answer 2 · 2021-02-15T20:25:41.000Z

I agree with @gni-icdc.

The problem is here:
https://github.com/logstash-plugins/logstash-integration-kafka/blob/master/lib/logstash/plugin_mixins/common.rb#L58

The Kafka call here is done using Manticore Ruby API. While other Kafka calls are done through Java component that deals with Kerberos authentication.

Please fix it, this is a blocking issue for us.

Answer 3 · 2021-02-18T11:14:55.000Z

Hi folks..I'm investigating this and I'd like to confirm a few things.
The schema registry feature is only available on the input plugin (not the output), and is only enabled when the schema_registry_url setting is declared in the pipeline configuration.

The opening issue shows a kafka output configuration, so there seem to be two separate issues here?
@fbaligand and @gni-icdc can you confirm your scenario involves the kafka input AND setting the schema_registry_url?

Answer 4 · 2021-02-18T11:27:52.000Z

Hi João @jsvd , yes exactly! Our scenario occurs with the input plugin and with the schema_registry_url set in this input.

Answer 5 · 2021-02-18T12:19:38.000Z

Let's continue this conversation in #72, since it's not related to the original issue raised by @pthalasta

Answer 6 · 2021-07-13T18:10:56.000Z

I believe this problem should have been solved with #97. Please update to the latest (10.8.0) version of the kafka integration plugin

Answer 7 · 2021-07-13T21:56:34.000Z

Great!
I will test it!

Answer 8 · 2023-05-22T16:49:19.000Z

Given my tests with recent versions of the plugin, this issue is fixed and can be closed.