Hi team :wave:
I want to keep the realtime table c...
# troubleshootingb
Bruno Mendes
10/17/2022, 5:38 PMHi team 👋
I want to keep the realtime table configuration in a git repo but dont want to expose the kafka login credentials, is it possible to pass these on a jaas like configuration file?
k
Kishore G
10/17/2022, 5:39 PM
You can use environment variables in table config..
👍 1
b
Bruno Mendes
10/17/2022, 5:41 PMthanks Kishore
the table is a configmap, do you know if somehow I can override them? I tried but no success
Bruno Mendes
10/17/2022, 5:45 PM@Kishore G is kubernetes configmap and job a good way to create tables or there is another way best recommended?
k
Kishore G
10/17/2022, 5:49 PM
@Xiang Fu might be able to help you on that..
x
Xiang Fu
10/17/2022, 6:24 PM
how do you want to use this table conf file? Table creation?
If so, just write your own script for table creation, which takes the table template and apply secrets as environment variables.
Xiang Fu
10/17/2022, 6:25 PM
You can import secrets to env variables and mount table request template using configmap
b
Bruno Mendes
10/17/2022, 8:03 PM@Xiang Fu yes, I want to use for table creation..
If so, just write your own script for table creation, which takes the table template and apply secrets as environment variables.
Do you have an example on how to set this?
Bruno Mendes
10/17/2022, 8:06 PMI was trying to create a
jaas.conf-Djava.security.auth.login.config=/etc/kafka/secrets/jaas.conf Copy code
apiVersion: v1
kind: ConfigMap
metadata:
name: cfmp
namespace: pinot
data:
realtime.json: |-
{
...
# REALTIME table
}
schema.json: |-
{
# schema
}
---
apiVersion: batch/v1
kind: Job
metadata:
name: job
namespace: pinot
spec:
template:
spec:
containers:
- name: pinot-job
image: apachepinot/pinot:latest
args: [ "AddTable", "-schemaFile", "/var/pinot/cfmp/schema.json", "-tableConfigFile", "/var/pinot/cfmp/realtime.json", "-controllerHost", "pinot-controller", "-controllerPort", "9000", "-exec" ]
env:
- name: JAVA_OPTS
value: "-Xms4G -Xmx4G -Dpinot.admin.system.exit=true -Djava.security.auth.login.config=/etc/kafka/secrets/jaas.conf"
volumeMounts:
- name: cfmp
mountPath: /var/pinot/examples
- name: kafka-secret
mountPath: /etc/kafka/secrets
subPath: rest_jaas.conf
restartPolicy: Never
volumes:
- name: cfmp
configMap:
name: cfmp
- name: kafka-secret
secret:
secretName: kafka-secret
backoffLimit: 0x
Xiang Fu
10/17/2022, 8:45 PM
there is no out-of-box solution right now. What I mean is that you can have some place-holder string in your template file, and have a separated init-container step to assemble your secret.
Copy code
sed 's/JAAS_CONFIG_PATH/${JAAS_CONFIG_PATH}/g' /var/pinot/cfmp/realtime.json👍 1
Xiang Fu
10/17/2022, 8:46 PM
Note that
-Djava.security.auth.login.config=/etc/kafka/secrets/jaas.conf"👍 1
Xiang Fu
10/17/2022, 8:46 PM
which is not the right way, cause you may want to connect to multiple kafka
b
Bruno Mendes
10/17/2022, 9:05 PMthanks @Xiang Fu
Bruno Mendes
09/11/2023, 9:03 PM@Xiang Fu Hi there,
even with it's drawback I wanna try to auth hiddin the username and password.
I've tried the following:
• created a jaas.conf:
Copy code
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="foo"
password="bar";
};"-Djava.security.auth.login.config=/etc/kafka/secrets/jaas.conf" Copy code
[...]
"tableIndexConfig": {
"loadMode": "MMAP",
"streamConfigs": {
"streamType": "kafka",
"stream.kafka.topic.name": "test",
"stream.kafka.consumer.type": "lowlevel",
"stream.kafka.consumer.prop.auto.offset.reset": "7d",
"stream.kafka.consumer.factory.class.name": "org.apache.pinot.plugin.stream.kafka20.KafkaConsumerFactory",
"stream.kafka.broker.list": "my-confluent-address:9092",
"stream.kafka.decoder.class.name": "org.apache.pinot.plugin.stream.kafka.KafkaJSONMessageDecoder",
"stream.kafka.decoder.prop.basic.auth.credentials.source": "USER_INFO",
"sasl.mechanism": "PLAIN",
"security.protocol": "SASL_PLAINTEXT",
"sasl.enabled.mechanisms": "PLAIN",
"realtime.segment.flush.threshold.rows": "50000",
"realtime.segment.flush.threshold.time": "3h",
"realtime.segment.flush.threshold.segment.size": "150M"
}
}
[...] Copy code
{
"code": 500,
"error": "org.apache.pinot.spi.stream.TransientConsumerException: org.apache.pinot.shaded.org.apache.kafka.common.errors.TimeoutException: Timeout expired while fetching topic metadata"
}x
Xiang Fu
09/12/2023, 12:10 AM
per: https://docs.pinot.apache.org/basics/data-import/pinot-stream-ingestion/import-from-apache-kafka#use-kafka-partition-low-[…]l-consumer-with-sasl_ssl Can you try to see if explicitly adding
"sasl.jaas.config":"org.apache.kafka.common.security.scram.ScramLoginModule required username=\"foo\" password=\"bar\";","-Djava.security.auth.login.config=/etc/kafka/secrets/jaas.conf"Xiang Fu
09/12/2023, 12:11 AM
Another try is to load this jaas content as an environment variable, then use table config override: https://docs.pinot.apache.org/configuration-reference/table#environment-variables-override
Xiang Fu
09/12/2023, 12:12 AM
note, you need this for all pinot controller/servers to ensure the connectivity
b
Bruno Mendes
09/12/2023, 3:03 AMOh thank you a lot @Xiang Fu
Actually I’m trying to use the file to not let available the topic credentials at the UI.
So I was trying to put the auth info out of the table conf…
Bruno Mendes
09/12/2023, 3:04 AM@Xiang Fu do you know other way I can achieve this? Not showing creds on ui after the table is created?
x
Xiang Fu
09/12/2023, 3:47 AM
use the ENV Var?
b
Bruno Mendes
09/22/2023, 7:22 PMEnv displays it's string after the table is uploaded.
Bruno Mendes
09/22/2023, 7:23 PMActually I used the config "*queryConsoleOnlyView*" to achieve what I was looking for
Bruno Mendes
09/22/2023, 7:23 PMthanks
x
Xiang Fu
09/23/2023, 5:27 AM
Ah, I see.
b
Bruno Mendes
09/26/2023, 3:17 AM@Xiang Fu
hi, im trying to use env vars and concatenate them but facing some issues,
I've posted on #C011C9JHN7R...
https://apache-pinot.slack.com/archives/C011C9JHN7R/p1695698071820449
do you have any guess? tkss