Cloudera Docs

Kerberos authentication using the ticket cache

You can configure Kerberos authentication using a ticket cache. To do so, you authenticate with Kerberos to acquire a valid Kerberos ticket. Then you connect to Kafka authenticating with the Kerberos ticket.

You must have produced data to a Kafka topic and consumed data from the Kafka topic.
  1. Create a file called client-kerberos.properties with the following content: 
    security.protocol=SASL_SSL
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
ssl.truststore.location=/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
  2. Before connecting to Kafka, you need to authenticate successfully with Kerberos to acquire a valid Kerberos ticket. You can use kinit for that. Run the following commands, replacing srv_kafka-client with your Machine User name. When prompted for the password, provide the Workload Password that you had set. 
    kdestroy

kinit srv_kafka-client
  3. If the command is successful, you should have a valid ticket in your ticket cache, as shown by the following klist command: 
    $ klist
Ticket cache: FILE:/tmp/krb5cc_1501600556
Default principal: srv_kafka-client@XYZ.SITE

Valid starting       Expires              Service principal
05/07/2020 03:10:58  05/08/2020 03:10:52  krbtgt/XYZ.SITE@XYZ.SITE
	renew until 05/14/2020 03:10:52

    If the command is not successful, your ticket cache should be empty, as shown in the following example:

    $ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1501600556)
  4. After you have a valid ticket in the ticket cache you can run the following commands to connect to Kafka, authenticating with the Kerberos ticket. 
    BROKER_HOST=$(hostname -f)

kafka-console-consumer \
  --bootstrap-server $BROKER_HOST:9093 \
  --consumer.config client-kerberos.properties \
  --topic machine-data \
  --group machine-data-$RANDOM \
  --from-beginning

    You should see the contents of the machine-data topic as follows:

    Hello, Kafka!
  5. After testing, destroy the ticket in your ticket cache: 
    kdestroy
    If you try to run the kafka-console-consumer command again, without the ticket, you see authentication errors like the following example:
    Caused by: javax.security.auth.login.LoginException: 
Could not login: the client is being asked for a password, but the Kafka client code does not 
currently support obtaining a password from the user. not available to garner  authentication 
information from the user