-
Notifications
You must be signed in to change notification settings - Fork 512
METRON-819: Document kafka console producer parameter for sensors with kerberos #507
Conversation
I went through your instructions and all seemed well with the world. But then I tried to use the
I then tried to go back and check the Kafka ACLs and am now getting an error. I was able to set the ACLs, but now I cannot see them.
|
Ok, sure.
|
@nickwallen Anything going on in the kafka broker logs in |
The issues that I am having currently are with Quick Dev. But I have actually been able to do this on a separate cluster in a slightly different way. On the other cluster, I did not use the So as a test, I granted access without the
|
@cestella Nothing interesting that I can find in the logs, unfortunately. |
I think I am confusing steps (12) and (13) from your instructions or something. But something else weird is going on. I'm just not sure what. It seems like the ACLs were set and then at some point they got unset somehow. I'm going to start over and walk through it all again. Maybe I made a mistake. |
Urm, sorry. That was old behavior, they changed it so Ambari doesn't do that any more. It prevented too many useful config tweaks. Now, ambari-agent only resets config state to match the ambari database, at startup time and when configs in Ambari are changed. |
FYI I was able to get this working. Mike's docs are 100% correct, there were just a few minor steps that tripped me up (like using relative paths instead of absolute paths.) I updated those just to help others avoid the same stupid user mistakes. |
### Sensors | ||
|
||
For sensors that leverage the Kafka console producer to pipe data into Metron, e.g. Snort and Yaf, you will need to modify the corresponding sensor shell script to append the SASL security protocol property. `--security-protocol SASL_PLAINTEXT` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we call out the need to kinit
beforehand?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the kinit
@nickwallen Thanks for testing the Kerberos instructions out! |
+1 Rockin! |
Merge with master again |
Don't merge this - need to move this doc change to the new manual kerberos doc in metron-deployment dir. A fix for a bad merge is pending. |
I also remember (after fighting with this for a while this morning) that if you don't have a JAAS config file defined then it won't work. Should this be part of the docs in this PR?? Without it, you just get this error.
After doing the following, then it works for me.
|
I didn't have any problems using the Kafka shell commands without a JAAS file. That was on single node Vagrant, but I'm not sure there should be much of a difference in this case. |
@nickwallen can you elaborate on this fix/config a bit? I think we should definitely add this detail to the doc. It looks like you've created a yaf user and principal here. Any additional setup or configuration required? I'm also curious about the difference in setup that required the jaas file here versus the original setup that allowed you to use the console consumer successfully per the comments above. |
In the original test, the JAAS stuff was configured as a by-product of something else I was working on. So I have never gotten this to work without configuring JAAS. |
In the text that I pasted, I was switching between two different use cases. So I accidentally pasted the JAAS setup for my 'yaf' principal, versus the 'bro' principal. So ignore that. But I cannot think of anything beyond the two steps I defined above. I just create a JAAS file telling it which keytab and principal to use, then update the JVM's security config so that it knows where to find the JAAS file, then it works for me. This is just the one way I have gotten it to work. There may be a better/simpler way that I am not aware of. |
@mmiklavc Can you take care of the conflicts? |
@justinleet - I'm changing this entirely per @nickwallen's comments about the jaas file. Coming shortly. |
…dings while testing sensors producing to Kafka with Kerberos enabled
Ok, I grabbed the latest master branch and force pushed out a new commit with the doc changes to this branch. @nickwallen @justinleet can you take a peek at this and see if there isn't anything else I've missed? Tested this by virtue of the internal performance evaluation we ran through recently. |
I'm +1, by inspection. I think this covers it. I'll let @nickwallen double check if there's anything else. |
+1 look great. Thanks |
Addresses https://issues.apache.org/jira/browse/METRON-819
Adds a note about adding the security protocol property to sensors leveraging the Kafka console producer.
Pull Request Checklist
Thank you for submitting a contribution to Apache Metron (Incubating).
Please refer to our Development Guidelines for the complete guide to follow for contributions.
Please refer also to our Build Verification Guidelines for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
For all changes:
For documentation related changes:
Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via
site-book/target/site/index.html
:Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommened that travis-ci is set up for your personal repository such that your branches are built there before submitting a pull request.