Kafka Console consumer with kerberos authentication

linux authentication apache-kafka kerberos
12,559

Kerberos-enabled clusters can pose some tricky challenges at times. I've had to deal with some of these myself.

If the Kafka Cluster is Kerberos-enabled then you'll need to supply a jaas.conf file with the Kerberos details. Try following these steps(they worked for me):

  1. Create a jaas.conf file with the following contents:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="<path-to-the-keytab-file>"
principal="<kafka-principal>";
};

Note: I've assumed that the Kafka principal and the associated keytab is already created. If not, you'll need to create these first.

  1. Create a properties file (say "consumer.properties") with the following contents:
security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
  1. Then at the terminal run the following command:
$export KAFKA_OPTS="-Djava.security.auth.login.config=<path-to-jaas.conf>"
  1. Execute the Kafka-console-consumer script:
$ kafka-console-consumer --topic <topic-name> --from-beginning 
--bootstrap-server <anybroker>:9092 --consumer.config <consumer.properties>

EDIT - Steps 3 and 4 could be combined just in case there is a preference to keep these as one command in the command history.

I hope this helps.

Share:
12,559
Raju
Author by

Raju

Updated on July 28, 2022

Comments

  • Raju
    Raju almost 2 years

    How to consume published messages from the kafka (version 0.10) server which was kerberos authorized, for the authentication keytab file is being used.

    I tried with the below command but no outputs were shown.

    bin/kafka-console-consumer.sh --bootstrap-server :9092 --topic --from-beginning

  • jambox
    jambox over 2 years
    i find it helpful to combine steps 3 and 4 e.g. $ KAFKA_OPTS="-Djava.security.auth.login.config=<path-to-jaas.‌​conf>" kafka-console-consumer --topic <topic-name> --from-beginning --bootstrap-server <anybroker>:9092 --consumer.config <consumer.properties> Therefore the entire command is in your terminal history (assuming you use that).
  • Lalit
    Lalit over 2 years
    @jambox - Thanks a lot for your suggestion. :) I've also used it for the same reason but for this answer I thought of keeping these 2 separate to explain the commands/steps better. But I'm adding this as an edit anyway just so people reading this are aware of it as well.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting Up a Keytab for a User Fails: "kinit: Password incorrect while getting initial credentials"
Unable to Login to kadmin from Kerberos Client
How to get windows xp to authenticate against kerberos or heimdal
Best practice for authenticating DMZ against AD in LAN
Linux Central Authentication/Authorization Methods
How to automate kinit process to obtain TGT for Kerberos?
How does Kerberos work with SSH?
Kerberized SSH Failed
Kerberos - AES-256 Keytab does not work
login script to use machine password for kinit to obtain ticket at login