I recently migrated my spring cloud stream kafka consumer application from annotations to a functional approach and now it won't start up with the failure
org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindConsumer(AbstractMessageChannelBinder.java:403)\n\t... 33 common frames omitted\nCaused by:
org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password,
but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information
from the user
\n\tat org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:172)
\n\tat org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
\n\tat org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:73)
\n\tat org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:105)\n
\tat org.apache.kafka.clients.admin.KafkaAdminClient.createInternal(KafkaAdminClient.java:474)\n\
t... 40 common frames omitted\nCaused by: javax.security.auth.login.LoginException:
This is the configuration :
jaas:
options:
sauAlias: Vault/Conjur/Secret/service_account
useKeyTab: false
krbProvider: com.sun.security.auth.module.Krb5LoginModule
debug: true
loginModule: com.usaa.kafka.auth3.krb.SauKrbLoginModuleWrapper
bootstrapServers: >
someserver:0000, someserver:0001
Is there an attribute that needs to be set to avoid the login prompt ?
If you look at the documentation, you will see that for Krb5LoginModule if use:
useKeyTab:
Set this to true if you want the module to get the principal's key from the the keytab.(default value is False) If keytab is not set then the module will locate the keytab from the Kerberos configuration file. If it is not specified in the Kerberos configuration file then it will look for the file {user.home}{file.separator}krb5.keytab.
In your case, my assumption is that because you are using useKeyTab = false, it is trying to find the keytab file in the default location: {user.home}{file.separator}krb5.keytab. and it probably does not exist.
Please see this https://andriymz.github.io/kerberos/authentication-using-kerberos/#krb5loginmodule for possible Valid/Invalid configuration combinations.
Your Configuration should look something like:
spring:
cloud:
stream:
kafka:
binder:
brokers: localhost:9092 # path to kafka brokers
autoCreateTopics: false
jaas:
loginModule: com.sun.security.auth.module.Krb5LoginModule
controlFlag: required
options:
useKeyTab: true
storeKey: true
keyTab: /your/pathTokeytabFile
useTicketCache: false
principal: yourserviceaccount@domain
renewTicket: true
serviceName: kafka
configuration:
security:
protocol: SASL_PLAINTEXT
sasl:
kerberos:
service:
name: kafka
producerProperties:
retries: 3
bindings:
CONSUMER_ONE:
destination: TOPIC_1
contentType: application/json
CONSUMER_TWO:
destination: TOPIC_2
contentType: application/json
CONSUMER_ERROR:
destination: ERROR_TOPIC
contentType: application/json
PRODUCER_ONE:
destination: TOPIC_2
contentType: application/json
PRODUCER_TWO:
destination: TOPIC_3
contentType: application/json
PRODUCER_ERROR:
destination: ERROR_TOPIC
contentType: application/json