hello,
I have a question. I’ve set up a KRaft cluster with 3 brokers and 3 controllers.
Currently, both brokers and controllers use the same Kerberos principal and keytab (kafka/<hostname>@REALM), and I’ve configured super.users=User:kafka.
Now I’d like to separate them — brokers should use a kafka principal, and controllers should use a controller principal. Has anyone tried this setup? Any advice would be appreciated.
Here’s a snippet from my controller.properties file:
# security.protocol=SASL_SSL
# sasl.enabled.mechanisms=GSSAPI,SCRAM-SHA-256
# sasl.mechanism.inter.broker.protocol=GSSAPI
# sasl.mechanism.controller.protocol=GSSAPI
# sasl.kerberos.service.name=kafka
# kerberos.auth.enable=true
TO -->
# security.protocol=SASL_SSL
# sasl.enabled.mechanisms=GSSAPI,SCRAM-SHA-256
# sasl.mechanism.inter.broker.protocol=GSSAPI
# sasl.mechanism.controller.protocol=GSSAPI
# sasl.kerberos.service.name=controller
# kerberos.auth.enable=true
However, when I use the controller principal, authentication fails with this error:
broker ip = 172.80.0.11
controller ip = 172.80.0.21
Failed authentication with /172.80.0.11
(channelId=172.80.0.21:9093-172.80.0.11:47078-0-6)
(Authentication failed during authentication due to invalid credentials with SASL mechanism GSSAPI)
I’m also updating the JAAS configuration to kafka to controller, of course.
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/kafka/config/keytabs/controller1.keytab"
principal="controller/controller1.dahbest.kfn@DAHBEST.KFN"
useTicketCache=false
debug=true;
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
storeKey=true
keyTab="/opt/kafka/config/keytabs/controller1.keytab"
principal="controller/controller1.dahbest.kfn@DAHBEST.KFN"
useTicketCache=false
debug=true;
};