Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-18994

Camel Kafka Component unable to load Kerberos LoginModule

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • fuse-7.11-GA
    • fuse-7.10-GA
    • Camel
    • None
    • False
    • None
    • False
    • % %
    • -
    • No test
    • Hide

      Steps to reproduce the issue:

      1)Add EAP/Fuse configuration:

      -System properties:

          <system-properties>
        <property name="java.security.krb5.conf" value="/path/krb5.conf"/>
        <property name="java.security.krb5.realm" value="HADOOP.CENTRALTEST.ROOTTEST.ALPHATEST.AB"/>
        <property name="sun.security.krb5.debug" value="true"/>
        <property name="jboss.security.disable.secdomain.option" value="true"/>
        </system-properties>

      -Security Domain:

                     <security-domain name="KafkaClient" cache-type="default">
                    <authentication>
                    
                        <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required">
                            <module-option name="storeKey" value="true"/>
                            <module-option name="useKeyTab" value="true"/>
                            <module-option name="principal" value="cbs_uat@HADOOP.CENTRALTEST.ROOTTEST.ALPHATEST.AB"/>
                            <module-option name="doNotPrompt" value="true"/>
                            <module-option name="debug" value="true"/>
                            <module-option name="keyTab" value="/path/service.keytab"/>
                        </login-module>
                    </authentication>
                </security-domain>

      2)Start Kafka on localhost

      (I have used docker-compose.yml file to reproduce)

      $ docker-compose up

      3)Start EAP/Fuse

      4)Build and deploy the sample application attached

      Expected output after deployment:

      Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.negotiation.KerberosLoginModule from [Module "org.apache.kafka.clients" from local module loader @2ed94a8b (finder: local module finder @38082d64 (roots: /home/francesco/jboss/jboss-eap-7.2/modules,/home/francesco/jboss/jboss-eap-7.2/modules/system/layers/fuse,/home/francesco/jboss/jboss-eap-7.2/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.2.3.CP,/home/francesco/jboss/jboss-eap-7.2/modules/system/layers/base))]
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60)
    at org.apache.kafka.common.security.kerberos.KerberosLogin.login(KerberosLogin.java:103)
    at org.apache.kafka.common.security.authenticator.LoginManager.<init>(LoginManager.java:61)
    at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:111)
    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:149)

      I'm attaching all the files required to reproduce the issue.

      Please note that it's not needed an actual Kerberos active connection as the issue is raised before the authentication.
      On the other hand, for the Kafka Component to work, you need to make sure Kafka is running.

      Show
      Steps to reproduce the issue: 1)Add EAP/Fuse configuration: -System properties: <system-properties> <property name= "java.security.krb5.conf" value= "/path/krb5.conf" /> <property name= "java.security.krb5.realm" value= "HADOOP.CENTRALTEST.ROOTTEST.ALPHATEST.AB" /> <property name= "sun.security.krb5.debug" value= " true " /> <property name= "jboss.security.disable.secdomain.option" value= " true " /> </system-properties> -Security Domain: <security-domain name= "KafkaClient" cache-type= " default " > <authentication> <login-module code= "org.jboss.security.negotiation.KerberosLoginModule" flag= "required" > <module-option name= "storeKey" value= " true " /> <module-option name= "useKeyTab" value= " true " /> <module-option name= "principal" value= "cbs_uat@HADOOP.CENTRALTEST.ROOTTEST.ALPHATEST.AB" /> <module-option name= "doNotPrompt" value= " true " /> <module-option name= "debug" value= " true " /> <module-option name= "keyTab" value= "/path/service.keytab" /> </login-module> </authentication> </security-domain> 2)Start Kafka on localhost (I have used docker-compose.yml file to reproduce) $ docker-compose up 3)Start EAP/Fuse 4)Build and deploy the sample application attached Expected output after deployment: Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.negotiation.KerberosLoginModule from [Module "org.apache.kafka.clients" from local module loader @2ed94a8b (finder: local module finder @38082d64 (roots: /home/francesco/jboss/jboss-eap-7.2/modules,/home/francesco/jboss/jboss-eap-7.2/modules/system/layers/fuse,/home/francesco/jboss/jboss-eap-7.2/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.2.3.CP,/home/francesco/jboss/jboss-eap-7.2/modules/system/layers/base))] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60) at org.apache.kafka.common.security.kerberos.KerberosLogin.login(KerberosLogin.java:103) at org.apache.kafka.common.security.authenticator.LoginManager.<init>(LoginManager.java:61) at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:111) at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:149) I'm attaching all the files required to reproduce the issue. Please note that it's not needed an actual Kerberos active connection as the issue is raised before the authentication. On the other hand, for the Kafka Component to work, you need to make sure Kafka is running.

    Description

      A Camel Route with the Kafka Component fails in loading the Kerberos Login Module which has been installed on Fuse/EAP.

              <route id="consume_mobile_success_cmart-mitsosPRODUCER-mobileSuccessCmartEap7-consumer">
            <from uri="kafka:mitsosPRODUCER?brokers=localhost:9093&amp;securityProtocol=SASL_SSL&amp;saslKerberosServiceName=kafka"/>
            <convertBodyTo type="java.lang.String" />
            <log message="BODY: ${body}"/>
        </route>

      Attachments

        1. docker-compose.yml
          0.8 kB
        2. krb5.conf
          0.2 kB
        3. sampletest.tar.gz
          552 kB
        4. service.keytab
          0.3 kB

        Activity

          People

            ldemasi Luigi De Masi
            fmarchio@redhat.com Francesco Marchioni (Inactive)
            Federico Mariani Federico Mariani
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: