消费者创业

Question

最近，我将我的春季云流kafka消费者应用程序从注释迁移到了功能方法，现在它不会从失败中启动。

org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindConsumer(AbstractMessageChannelBinder.java:403)\n\t... 33 common frames omitted\nCaused by: 
org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, 
but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information 
from the user
\n\tat org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:172)
\n\tat org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
\n\tat org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:73)
\n\tat org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:105)\n
\tat org.apache.kafka.clients.admin.KafkaAdminClient.createInternal(KafkaAdminClient.java:474)\n\
t... 40 common frames omitted\nCaused by: javax.security.auth.login.LoginException:

这是配置：

jaas:
  options:
    sauAlias: Vault/Conjur/Secret/service_account
    useKeyTab: false
    krbProvider: com.sun.security.auth.module.Krb5LoginModule
    debug: true
  loginModule: com.usaa.kafka.auth3.krb.SauKrbLoginModuleWrapper
  bootstrapServers: >
    someserver:0000, someserver:0001

是否需要设置属性以避免登录提示？

Answer 1

如果您查看文档，您将看到对于Krb5LoginModule (如果使用)：

useKeyTab:
    Set this to true if you want the module to get the principal's key from the the keytab.(default value is False) If keytab is not set then the module will locate the keytab from the Kerberos configuration file. If it is not specified in the Kerberos configuration file then it will look for the file {user.home}{file.separator}krb5.keytab.

在您的示例中，我的假设是，由于您使用的是useKeyTab = false，所以它试图在默认位置：{user.home}{file.separator}krb5.keytab.中查找keytab文件，而且它可能不存在。

https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

请查看此https://andriymz.github.io/kerberos/authentication-using-kerberos/#krb5loginmodule以获得可能有效/无效的配置组合。

您的配置应该类似于：

spring:
 cloud:
  stream:
   kafka:
    binder:
     brokers: localhost:9092  # path to kafka brokers
     autoCreateTopics: false
     jaas:
      loginModule: com.sun.security.auth.module.Krb5LoginModule
      controlFlag: required
      options: 
       useKeyTab: true
       storeKey: true
       keyTab: /your/pathTokeytabFile
       useTicketCache: false
       principal: yourserviceaccount@domain
       renewTicket: true
       serviceName: kafka
     configuration: 
       security:
         protocol: SASL_PLAINTEXT
       sasl: 
         kerberos: 
           service:
             name: kafka
     producerProperties:
       retries: 3
    bindings:
     CONSUMER_ONE:
      destination: TOPIC_1
      contentType: application/json
     CONSUMER_TWO:
      destination: TOPIC_2
      contentType: application/json
     CONSUMER_ERROR:
      destination: ERROR_TOPIC
      contentType: application/json
     PRODUCER_ONE:
      destination: TOPIC_2
      contentType: application/json
     PRODUCER_TWO:
      destination: TOPIC_3
      contentType: application/json
     PRODUCER_ERROR:
      destination: ERROR_TOPIC
      contentType: application/json