问:如果我有差异kerberos领域,并且经纪人坐在Linux上, 生产环境 者坐在Windows上,如何使用Kerberos启用连接?我有有效的keytab . 这是krb5

请在此链接中查看此问题的明确答案 .

Connect to Kafka on Unix from Windows with Kerberos

下面的问题是@Samson解释的第三种情况的延续 . 回答一些Samson的建议,在krb5中添加了1个默认域 . 2.有一种信任方式 . 代理域信任我的域 .

[libdefaults]
 renew_lifetime = 7d
 forwardable = false
 default_realm = SomeUrl.COM
 ticket_lifetime = 24h
 dns_lookup_realm = false
 dns_lookup_kdc = false
 udp_preference_limit = 1


 [domain_realm]

 .machine.test.group = SomeUrl.COM  
  machine.test.group = SomeUrl.COM

  [realms]
  SomeUrl.COM = {
  admin_server = SomeUrl.COM
  kdc = SomeUrl.COM
  }

SomeUrl.com是经纪人所在的地方 .

这是来自 生产环境 者的日志 .

生产环境 者连接到代理日志:(我编辑了实际的代理名称和IP地址)

7 | 2017-06-14 09:03:49.181 | rdkafka#producer-1 | BROKER | [thrd:app]:sasl_plaintext://some.machine.test.group:9092 / bootstrap:使用NodeId添加新代理-1 7 | 2017-06-14 09:03:49.180 | rdkafka#producer-1 | BRKMAIN | [thrd :: 0 / internal] :: 0 / int ernal:输入主经纪人线程7 | 2017-06-14 09:03:49.227 | rdkafka#producer-1 | STATE | [thrd :: 0 / internal] :: 0 / inter nal:经纪人改变状态INIT - > UP 7 | 2017-06-14 09:03:49.229 | rdkafka#producer-1 | BRKMAIN | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine . test.group:9092/bootstrap:输入主经纪商线程7 | 2017-06-14 09:03:49.230 | rdkafka#producer-1 | CONNECT | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine . test.group:9092/bootstrap:状态INIT中的代理连接rdkafka#producer-1在KAFKA_MM_L0上生成 . 退出 .

当我尝试发送消息时(

rdkafka#producer-1在KAFKA_MM_L0上制作 . 退出 . 7 | 2017-06-14 09:04:33.625 | rdkafka#producer-1 | CONNECT | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine . test.group:9092/bootstrap:连接到ipv4#1.1.1.1:9092(sasl_plaintext),带插槽184 7 | 2017-06-14 09:04:33.627 | rdkafka#producer-1 | STATE | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.te st.group:9092/bootstrap:经纪人改变状态INIT - > CONNECT 7 | 2017-06- 14 09:04:33.637 | rdkafka#producer-1 | CONNECT | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine . test.group:9092/bootstrap:连接到ipv4#1.1.1.1:9092 7 | 2017-06-14 09:04:33.637 | rdkafka#producer-1 | CONNECTED | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machin e.test.group:9092/bootstrap:Connected(#1)7 | 2017-06-14 09 :04:33.638 | rdkafka# 生产环境 -1 | APIVERSION | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machi ne.test.group:9092/bootstrap:使用(配置回退)0.9.0协议功能7 | 2017 -06-14 09:04:33.640 | rdkafka#producer-1 | FEATURE | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine . test.group:9092/bootstrap:更新已启用的协议功能到BrokerBalancedCo nsumer,ThrottleTime,Sasl,BrokerGroupCoordinator,LZ4 7 | 2017-06-14 09:04:33.643 | rdkafka#producer-1 | AUTH | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.tes t.group:9092/bootstrap:Auth in state CONNECT(握手不支持)7 | 2017- 06-14 09:04:33.645 | rdkafka#producer-1 | STATE | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.te st.group:9092/bootstrap:经纪人改变状态CONNECT - > AUTH 7 | 2017-06- 14 09:04:33.646 | rdkafka#producer-1 | SASL | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.test.group:9092 / bootstrap:初始化SASL客户端:服务名称kafka,主机名some.machine.test .group,机制GSSAPI 7 | 2017-06-14 09:04:33.665 | rdkafka#producer-1 | SASL | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machine.test.group:9092 / bootstrap:获取的Kerberos凭证句柄(到期时间为2147483455.928712703s)7 | 2017- 06-14 09:04:33.676 | rdkafka#producer-1 | BROKERFAIL | [thrd:sasl_plaintext://some.machine.test.group:9092 / bootstrap]:sasl_plaintext://some.machi ne.test.group:9092/bootstrap:failed:err:Local:身份验证失败:(错误:无效)参数)

apache-kafka kerberos kafka-producer-api confluent-kafka