Kafka adapter fatal error caused by "javax.security.auth.login.LoginException: Could not login"
Article ID: KB0072908
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.6 and later |
Description
When a Streaming application using the Kafka adapter is started, a fatal error occurs:
Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
2021-10-28 13:48:58.015000-0400 [23876:OperatorThread(default.OutputAdapter.KafkaProducer)] ERROR com.streambase.sb.adapter.kafka.KafkaProducer.default.OutputAdapter: Fatal error ... : Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?
Issue/Introduction
Provides some details and background on the fatal error caused by "javax.security.auth.login.LoginException: Could not login".
Resolution
This error indicates that the Kerberos user's keytab file is not being referenced in the client's jaas configuration. In this case, the client is the TIBCO Streaming application that uses the Kafka adapters.
Inspect the client's jaas configuration file, which is typically referenced by your TIBCO Streaming application using the Java system property 'java.security.auth.login.config'. For example, in a StreamBase Engine HOCON configuration:
In 'kafka_client_jaas.conf', make sure the 'KafkaClient' definition references the client/user's keytab file:
Here, the user's keytab file is expected to exist under C:/keytabs/. If the keytab file exists and you still face this fatal error, consult with your Kerberos administrator to obtain an updated copy of the keytab file.
To assist in troubleshooting, set the 'sun.security.krb5.debug' system property to 'true'. Again, you may do this in your SB Engine configuration:
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".
Inspect the client's jaas configuration file, which is typically referenced by your TIBCO Streaming application using the Java system property 'java.security.auth.login.config'. For example, in a StreamBase Engine HOCON configuration:
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
"-Djava.security.krb5.conf=C:/configs/krb5.conf"
"-Dsun.security.krb5.debug=true"
]
}
In 'kafka_client_jaas.conf', make sure the 'KafkaClient' definition references the client/user's keytab file:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
serviceName="kafka"
useKeyTab=true
debug=true
keyTab="C:/keytabs/user1.user.keytab"
principal="user1/@KAFKA.SECURE";
};
Here, the user's keytab file is expected to exist under C:/keytabs/. If the keytab file exists and you still face this fatal error, consult with your Kerberos administrator to obtain an updated copy of the keytab file.
To assist in troubleshooting, set the 'sun.security.krb5.debug' system property to 'true'. Again, you may do this in your SB Engine configuration:
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
"-Djava.security.krb5.conf=C:/configs/krb5.conf"
"-Dsun.security.krb5.debug=true"
]
}
For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".
Feedback
Yes
No
Powered by
