Kafka adapter fatal error caused by "javax.security.auth.login.LoginException: Could not login"

Kafka adapter fatal error caused by "javax.security.auth.login.LoginException: Could not login"

book

Article ID: KB0072908

calendar_today

Updated On:

Products Versions
TIBCO Streaming 10.6 and later

Description

When a Streaming application using the Kafka adapter is started, a fatal error occurs:
 
2021-10-28 13:48:58.015000-0400 [23876:OperatorThread(default.OutputAdapter.KafkaProducer)]
ERROR com.streambase.sb.adapter.kafka.KafkaProducer.default.OutputAdapter: Fatal error
...
: Caused by: javax.security.auth.login.LoginException: Could not login:
the client is being asked for a password, but the Kafka client code does not currently support
obtaining a password from the user. not available to garner  authentication information from the user

Our Kafka broker requires that clients authenticate with Kerberos. What does this error mean and how can it be avoided?

Issue/Introduction

Provides some details and background on the fatal error caused by "javax.security.auth.login.LoginException: Could not login".

Resolution

This error indicates that the Kerberos user's keytab file is not being referenced in the client's jaas configuration. In this case, the client is the TIBCO Streaming application that uses the Kafka adapters.

Inspect the client's jaas configuration file, which is typically referenced by your TIBCO Streaming application using the Java system property 'java.security.auth.login.config'. For example, in a StreamBase Engine HOCON configuration:
 
StreamBaseEngine = {
        jvmArgs = [
            "-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
            "-Djava.security.krb5.conf=C:/configs/krb5.conf"
            "-Dsun.security.krb5.debug=true"
        ]
}

In 'kafka_client_jaas.conf', make sure the 'KafkaClient' definition references the client/user's keytab file:
 
KafkaClient {
  com.sun.security.auth.module.Krb5LoginModule required
  serviceName="kafka"
  useKeyTab=true
  debug=true
  keyTab="C:/keytabs/user1.user.keytab"
  principal="user1/@KAFKA.SECURE";
};

Here, the user's keytab file is expected to exist under C:/keytabs/. If the keytab file exists and you still face this fatal error, consult with your Kerberos administrator to obtain an updated copy of the keytab file.

To assist in troubleshooting, set the 'sun.security.krb5.debug' system property to 'true'. Again, you may do this in your SB Engine configuration:
 
StreamBaseEngine = {
        jvmArgs = [
            "-Djava.security.auth.login.config=C:/configs/kafka_client_jaas.conf"
            "-Djava.security.krb5.conf=C:/configs/krb5.conf"
            "-Dsun.security.krb5.debug=true"
        ]
}

For detailed guidance on configuring the Kafka adapters for Kerberos authentication, refer to the Knowledge article entitled "How to enable Kerberos SASL/SSL authentication for the TIBCO Streaming Kafka adapters".