https://pinot.apache.org/ logo
Join Slack
Powered by
hi guys i have multiple kafka sasl separate Kerb...
# troubleshooting
b
hi guys i have multiple kafka sasl separate Kerberos. i don't know what parameter on real time table use for point to krb5.conf or content inside krb5.conf. i need to config realtime tables and multiple kdc. Please recommend which parameter or some example use for that.
m
@User any suggestions ^^
a
this one is for @User
c
I haven’t played around with Kerberos config in Pinot myself . Can’t give any quick answer I’m afraid but can you share the error you’re seeing ? Also I’m assuming you’ve seen this for Kafka client config : https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_gssapi.html#clients
If you have a working Kafka client the same config should work with Pinot
My suggestion is to get the client working first
b
this is my config that working with one kdc (/etc/krb5.conf) but i need to config new table consume to another kerberlos to. i don't know parameter how to point to krb5.conf on table config @User. "streamConfigs": { "streamType": "kafka", "stream.kafka.topic.name": "PROD-json-MB-Postpaid-Sales-Online", "stream.kafka.broker.list": "tykbpr019092,tykbpr029092,tykbpr01:9092", "stream.kafka.consumer.type": "lowlevel", "stream.kafka.consumer.prop.auto.offset.reset": "smallest", "stream.kafka.consumer.factory.class.name": "org.apache.pinot.plugin.stream.kafka20.KafkaConsumerFactory", "stream.kafka.decoder.class.name": "org.apache.pinot.plugin.stream.kafka.KafkaJSONMessageDecoder", "realtime.segment.flush.threshold.rows": "0", "realtime.segment.flush.threshold.time": "1h", "realtime.segment.flush.segment.size": "100m", "stream.kafka.consumer.group.id": "rdp_lookup", "security.protocol": "SASL_SSL", "sasl.mechanism": "GSSAPI", "sasl.kerberos.service.name": "kafka", "ssl.truststore.location": "/data/apache-pinot/keytab/tykbpr.client.truststore.jks", "ssl.truststore.password": "xxxx, "sasl.jaas.config": "com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true useKeyTab=true storeKey=true keyTab=\"/data/apache-pinot/keytab/U-SVC-RDP.keytab\" principal=\"U-SVC-RDP@TRUE.TH\" doNotPrompt=false;" }
i'll check your link that you recommend.
can i put everyhing to this parameter ? sasl.jaas.config=
cat /etc/krb5.conf includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TRUE.TH kdc_timesync = 1 ticket_lifetime = 7d renew_lifetime = 15d [realms] TRUE.TH = { admin_server = true.th kdc = true.th } TRUE.CARE = { kdc = smbadpr1b admin_server = true.care } KAFKA.SECURE = { admin_server = napat-test kdc = napat-test }
i try to use this for point krb5.conf "security.krb5.config": "/etc/krb5truecare.conf" it's not working.
c
@User I really think this is a Kafka question.
we need to identify the right JAAS config that can accept a custom krb5.conf path
instead of default in "/etc/"
I actually googled aroudn but couldn't find it - the only mention is the java argument `
Copy code
-Djava.security.krb5.conf
but that won't work for your scenario since you want to do this programmatically
b
yes if i set it on java it only 1 krb5.conf
i have multiple kdc
Pinot support multiple Kerberos for one pinot cluster or not ? @User
Copy code
{
  "_code": 500,
  "_error": "org.apache.kafka.common.errors.SaslAuthenticationException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state."
}
Open in Slack
PreviousNext
Powered by