Kafka cluster updated from PLAINTEXT to SASL_PLAINTEXT, cannot get Mirrormaker to work
We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.
To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.
I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:
Added in /etc/sysconfig/kafka:
Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
Created /etc/kafka/kafka_server.jaas:
KafkaServer
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;
Changed listeners in /etc/kafka/server.properties:
listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094
Added to /etc/kafka/server.properties:
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false
After these changes a successful test has been performed on the first kafka node to test the SASL port like this:
export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties
/etc/kafka/consumer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
/etc/kafka/producer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.
The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties
bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.
What could I have missed?
apache-kafka
asked Nov 12 at 12:15
Paul de Crom
1
add a comment |
We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.
To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.
I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:
Added in /etc/sysconfig/kafka:
Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
Created /etc/kafka/kafka_server.jaas:
KafkaServer
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;
Changed listeners in /etc/kafka/server.properties:
listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094
Added to /etc/kafka/server.properties:
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false
After these changes a successful test has been performed on the first kafka node to test the SASL port like this:
export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties
/etc/kafka/consumer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
/etc/kafka/producer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.
The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties
bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.
What could I have missed?
apache-kafka
asked Nov 12 at 12:15
Paul de Crom
1
I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32
add a comment |
We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.
To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.
I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:
Added in /etc/sysconfig/kafka:
Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
Created /etc/kafka/kafka_server.jaas:
KafkaServer
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;
Changed listeners in /etc/kafka/server.properties:
listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094
Added to /etc/kafka/server.properties:
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false
After these changes a successful test has been performed on the first kafka node to test the SASL port like this:
export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties
/etc/kafka/consumer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
/etc/kafka/producer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.
The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties
bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.
What could I have missed?
apache-kafka
asked Nov 12 at 12:15
Paul de Crom
1
We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.
To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.
I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:
Added in /etc/sysconfig/kafka:
Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
Created /etc/kafka/kafka_server.jaas:
KafkaServer
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;
Changed listeners in /etc/kafka/server.properties:
listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094
Added to /etc/kafka/server.properties:
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false
After these changes a successful test has been performed on the first kafka node to test the SASL port like this:
export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties
/etc/kafka/consumer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
/etc/kafka/producer.properties:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093
So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.
The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties
bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.
What could I have missed?
apache-kafka
apache-kafka
asked Nov 12 at 12:15
Paul de Crom
1
asked Nov 12 at 12:15
Paul de Crom
1
asked Nov 12 at 12:15
Paul de Crom
1
asked Nov 12 at 12:15
Paul de Crom
1
asked Nov 12 at 12:15
Paul de Crom
1
1
I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32
add a comment |
I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32
I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32
I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32
add a comment |
1 Answer
1
active
oldest
votes
Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.
What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)
answered Nov 13 at 14:29
Paul de Crom
1
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53262005%2fkafka-cluster-updated-from-plaintext-to-sasl-plaintext-cannot-get-mirrormaker-t%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.
What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)
answered Nov 13 at 14:29
Paul de Crom
1
add a comment |
Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.
What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)
answered Nov 13 at 14:29
Paul de Crom
1
add a comment |
Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.
What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)
answered Nov 13 at 14:29
Paul de Crom
1
Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.
What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)
answered Nov 13 at 14:29
Paul de Crom
1
answered Nov 13 at 14:29
Paul de Crom
1
answered Nov 13 at 14:29
Paul de Crom
1
answered Nov 13 at 14:29
Paul de Crom
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53262005%2fkafka-cluster-updated-from-plaintext-to-sasl-plaintext-cannot-get-mirrormaker-t%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32