Kafka cluster updated from PLAINTEXT to SASL_PLAINTEXT, cannot get Mirrormaker to work










0














We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.



To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.



I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:



Added in /etc/sysconfig/kafka:



Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"



Created /etc/kafka/kafka_server.jaas:



KafkaServer 
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"

;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;


Changed listeners in /etc/kafka/server.properties:



listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094


Added to /etc/kafka/server.properties:



authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false


After these changes a successful test has been performed on the first kafka node to test the SASL port like this:



export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties


/etc/kafka/consumer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


/etc/kafka/producer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.



The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties



bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";



Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.



What could I have missed?










share|improve this question





















  • I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
    – cricket_007
    Nov 12 at 13:32















0














We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.



To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.



I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:



Added in /etc/sysconfig/kafka:



Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"



Created /etc/kafka/kafka_server.jaas:



KafkaServer 
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"

;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;


Changed listeners in /etc/kafka/server.properties:



listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094


Added to /etc/kafka/server.properties:



authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false


After these changes a successful test has been performed on the first kafka node to test the SASL port like this:



export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties


/etc/kafka/consumer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


/etc/kafka/producer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.



The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties



bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";



Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.



What could I have missed?










share|improve this question





















  • I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
    – cricket_007
    Nov 12 at 13:32













0












0








0







We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.



To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.



I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:



Added in /etc/sysconfig/kafka:



Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"



Created /etc/kafka/kafka_server.jaas:



KafkaServer 
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"

;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;


Changed listeners in /etc/kafka/server.properties:



listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094


Added to /etc/kafka/server.properties:



authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false


After these changes a successful test has been performed on the first kafka node to test the SASL port like this:



export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties


/etc/kafka/consumer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


/etc/kafka/producer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.



The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties



bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";



Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.



What could I have missed?










share|improve this question













We have two separate kafka clusters in two datacenters and have configured Mirrormaker to replicate a set of topics. Each datacenter is running 3 nodes with kafka and mirrormaker. This setup is running correctly.



To enable more security, we need SASL_PLAINTEXT, or better SASL_SSL.



I configured SASL_PLAINTEXT in one of our datacenters on all three nodes:



Added in /etc/sysconfig/kafka:



Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"



Created /etc/kafka/kafka_server.jaas:



KafkaServer 
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"

;
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
;
;


Changed listeners in /etc/kafka/server.properties:



listeners=PLAINTEXT://0.0.0.0:443,SASL_PLAINTEXT://0.0.0.0:29093,SASL_SSL://0.0.0.0:29094
advertised.listeners=PLAINTEXT://node1.app.gen.local:443,SASL_PLAINTEXT://node1.app.gen.local:29093,SASL_SSL://node1.app.gen.local:29094


Added to /etc/kafka/server.properties:



authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
super.users=User:admin
zookeeper.set.acl=false


After these changes a successful test has been performed on the first kafka node to test the SASL port like this:



export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server.jaas"
/u01/app/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:29093 --topic topictest1 --from-beginning --consumer.config=/etc/kafka/consumer.properties


/etc/kafka/consumer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


/etc/kafka/producer.properties:



security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:29093


So the consumer on the newly created SASL port can read the existing topics in the cluster on which no ACLs have been set yet. This was also the expected behaviour.



The only problem now is that mirrormaker is broken between the new secured cluster and the second non secured cluster. Tried to fix it by making the following changes to the file that holds the consumer properties for mirrormaker: /etc/kafka/mirrormaker-consumer.properties



bootstrap.servers=node1.app.gen.local:29093,node2.app.gen.local:29093,node3.app.gen.local:29093
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";



Mirrormaker starts, lots of entries in the DEBUG log, but the messages are not copied from the secured cluster to the (still) unsecured cluster.



What could I have missed?







apache-kafka






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 12 at 12:15









Paul de Crom

1




1











  • I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
    – cricket_007
    Nov 12 at 13:32
















  • I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
    – cricket_007
    Nov 12 at 13:32















I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32




I would suggest making some temporary topic for testing the CLI tools alone can produce an consume between the clusters you're interacting with. Once you have that working, use the same properties in the MirrorMaker configs
– cricket_007
Nov 12 at 13:32












1 Answer
1






active

oldest

votes


















0














Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.



What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)






share|improve this answer




















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53262005%2fkafka-cluster-updated-from-plaintext-to-sasl-plaintext-cannot-get-mirrormaker-t%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.



    What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)






    share|improve this answer

























      0














      Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.



      What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)






      share|improve this answer























        0












        0








        0






        Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.



        What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)






        share|improve this answer












        Thanks, I solved this by your suggestion to test consumer and producer separately. It appeared that I had an ACL defined with topic '*' in there that prevented Mirrormaker's consumer to read the topics from its PLAINTEXT port.



        What I have learned: if you put an ACL on a topic, it can no longer be read from the PLAINTEXT port :-)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 13 at 14:29









        Paul de Crom

        1




        1



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53262005%2fkafka-cluster-updated-from-plaintext-to-sasl-plaintext-cannot-get-mirrormaker-t%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            這個網誌中的熱門文章

            How to read a connectionString WITH PROVIDER in .NET Core?

            Node.js Script on GitHub Pages or Amazon S3

            Museum of Modern and Contemporary Art of Trento and Rovereto