Kerberos Authentication for Kafka #5413

AndreAga · 2017-10-20T06:42:40Z

Hi guys,
I saw Beats Library doesn’t support Kerberos authentication for kafka output, but Logstash kafka input does. Any plan to add this kind of Auth?

Thanks.

mellowonpsx · 2017-10-20T07:17:17Z

I agree with @AndreAga, also Logstash's Kafka output plugin supports Kerberos SASL.
Kerberos Auth is a must-have feature for Bests Library.

gmoskovicz · 2018-01-08T14:19:01Z

@urso any news regarding this?

urso · 2018-01-08T16:09:35Z

@gmoskovicz Sorry, no updates on this ticket.

miko-code · 2018-02-25T19:08:24Z

+1

mmirabedini · 2018-04-26T18:40:01Z

+1

giezer · 2018-04-28T16:52:26Z

+1

ioah86 · 2018-07-19T17:40:36Z

+1

dounine · 2018-08-28T09:27:24Z

+1

mayank-mahajan-guavus · 2019-03-26T09:59:45Z

@jsoriano Is there a plan to add Kerberos Support in beats?

nathanrstacey · 2019-07-26T20:12:52Z

+1

smaley07 · 2019-10-16T16:02:48Z

+1

vickhello · 2019-12-11T14:29:01Z

+1

Lswx2017 · 2020-01-06T02:21:31Z

+1

Yggdrassil80 · 2020-01-13T15:14:46Z

+1

mostlyjason · 2020-01-24T19:33:39Z

One of our customers offered this response on why Kerberos is better than SSL:

In the case of the Confluent article [showing SSL auth], they are using a very loose term for authentication, in saying that it is performing mutual authentication of the certificates and only validates that the certificate is trusted by way of the CA certificates. In other words, this is machine authentication, and it provides no context to the user on that machine. In our security context, SSL authentication is not sufficient.

moulisea · 2020-08-20T04:36:22Z

1. when I give output.kafka.version: "2.5.0", I get below error: ERROR instance/beat.go:958 Exiting: error initializing publisher: unknown/unsupported kafka vesion '2.5.0' accessing 'output.kafka.version' (source:'filebeat.yml') Exiting: error initializing publisher: unknown/unsupported kafka vesion '2.5.0' accessing 'output.kafka.version' (source:'filebeat.yml') 2. Also I see below Alert in Filebeat. Known issue in version 7.8.0 The Kafka output fails to connect when using multiple TLS brokers. We advise not to upgrade to Filebeat 7.8.0 if you’re using the Kafka output in this configuration. Do you recommend to use 7.8.0 in Prod with multiple broker( we have 3 broker). I started using 7.8 mainly to support SASL_SSL with GSSAPI mechanism. Thanks, Mouli On Wed, Aug 19, 2020 at 11:05 PM chandramouli srinivasan < c84.srinivasan@gmail.com> wrote:

…

I tried logging: debug in YML file but not helpful to find what is the issue. If you are aware of any debugging mechanism, let me know. Thanks. Thanks, Mouli On Wed, Aug 19, 2020 at 12:23 PM chandramouli srinivasan < ***@***.***> wrote: > > I did that and I see below two errors. In the initial logs, it says it > established kafka connection. But later I see below errors. > > DEBUG [harvester] log/log.go:107 End of file reached: > E:\Logs\file.log; Backoff now. > DEBUG [kafka] kafka/client.go:277 finished kafka batch > DEBUG [kafka] kafka/client.go:291 Kafka publish failed with: > kafka: client has run out of available brokers to talk to (Is your cluster > reachable?) > > Kafka publish failed with: circuit breaker is open > > > Thanks, > Mouli > > On Wed, Aug 19, 2020 at 10:31 AM Noémi Ványi ***@***.***> > wrote: > >> @moulisea <https://github.com/moulisea> ATM kerberos.username is >> commented out. You need to remove # from the beginning of the line. >> >> — >> You are receiving this because you were mentioned. >> Reply to this email directly, view it on GitHub >> <#5413 (comment)>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AD2UZLQIPOWRM7G24RWJDHDSBPV5TANCNFSM4EAA7QHQ> >> . >> >

kvch · 2020-08-24T17:01:42Z

Do you mind opening a Discuss question for these problems? This issue is about tracking Kerberos authentication for Kafka, not arbitrary Kafka issues.

moulisea · 2020-08-24T17:12:10Z

Thanks for response. I am not clear how to open a Discuss question for these problems. can you provide some link, so I can start discussion on this. Yes, the issue is not able to connect to Kafka kerberos from Filebeat. so I am exploring logstash now. But if we could make this work in Filebeat, that would be really great. Appreciate your help. Thanks. Thanks, Mouli

…

Sent from my iPhone On Aug 24, 2020, at 12:01 PM, Noémi Ványi <notifications@github.com> wrote: Do you mind opening a Discuss question for these problems? This issue is about tracking Kerberos authentication for Kafka, not arbitrary Kafka issues. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5413 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD2UZLVPXZSWN2KHOQOSMLDSCKMINANCNFSM4EAA7QHQ> .

kvch · 2020-08-24T17:17:08Z

I meant opening a question here: https://discuss.elastic.co/c/elastic-stack/beats/28
I will find someone to help you there. Thanks in advance.

moulisea · 2020-08-24T17:23:45Z

Thanks. I have created one. link below. https://discuss.elastic.co/t/filebeat-connect-with-kafka-kerberos-sasl-ssl-not-working/246160 Thanks, Mouli On Wed, Aug 19, 2020 at 12:23 PM chandramouli srinivasan < c84.srinivasan@gmail.com> wrote:

…

I did that and I see below two errors. In the initial logs, it says it established kafka connection. But later I see below errors. DEBUG [harvester] log/log.go:107 End of file reached: E:\Logs\file.log; Backoff now. DEBUG [kafka] kafka/client.go:277 finished kafka batch DEBUG [kafka] kafka/client.go:291 Kafka publish failed with: kafka: client has run out of available brokers to talk to (Is your cluster reachable?) Kafka publish failed with: circuit breaker is open Thanks, Mouli On Wed, Aug 19, 2020 at 10:31 AM Noémi Ványi ***@***.***> wrote: > @moulisea <https://github.com/moulisea> ATM kerberos.username is > commented out. You need to remove # from the beginning of the line. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#5413 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AD2UZLQIPOWRM7G24RWJDHDSBPV5TANCNFSM4EAA7QHQ> > . >

Ghaithjemai · 2020-10-05T16:05:19Z

same problem... did you find the solution?

atalukdar · 2021-03-02T22:20:04Z

I am having same issue with filebeat-7.11.1

Any solution on sasl_ssl?

Connection to kafka(xxxxx:9093) established
[kafka] kafka/client.go:371 finished kafka batch
[kafka] kafka/client.go:385 Kafka publish failed with: kafka: client has run out of available brokers to talk to (Is your cluster reachable?)

elafontaine · 2021-05-18T22:06:15Z

Same problem. Searching for a link to a solution.

urso · 2021-05-19T07:47:12Z

Can you reproduce the issue with 7.12?

elafontaine · 2021-05-21T01:33:11Z

We were on 7.10 from the standard rpm repository of Red Hat I believe. I'll ask to try on filebeat 7.12

I noticed that it's mostly a Kerberos issue, there is just no log about it. I noticed we're forced to put the service_name parameter, even though the authentification is successful without it (and with it, it actually fails... I'm trying to understand why on my side.

elafontaine · 2021-05-26T21:29:49Z

Ok, I confirm that with 7.12, we're able to make it work with password type of authentification with kerberos (and clear text password in the configuration). However, as soon as we switch this to auth_type: keytab and pass the keytab option, it stops working. I have confirmed the keytab authentification with kinit and with the same service that filebeat should be trying to use as per the config.

We just tested with 7.13, the same; clear text password works, but keytab doesn't.

theforcebemay · 2021-06-16T11:45:28Z

@elafontaine
Could you share your filebeat.yml?

JunTaoYuan80 · 2021-10-09T09:11:52Z

Same problem with 7.15. Searching for a link to a solution.

2021-10-09T17:10:45.739+0800	INFO	[file_watcher]	filestream/fswatch.go:137	Start next scan
2021-10-09T17:10:50.838+0800	ERROR	[kafka]	kafka/client.go:317	Kafka (topic=common_log_topic): kafka: client has run out of available brokers to talk to (Is your cluster reachable?)```

jaychouuu · 2021-11-16T02:51:40Z

@JunTaoYuan80 jun Have you solved it now? I have the same problem

JunTaoYuan80 · 2021-11-17T12:24:13Z

@JunTaoYuan80 jun Have you solved it now? I have the same problem

no, but i change filebeat to logstash, it's ok.

elasticmachine · 2022-03-30T09:20:31Z

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

jlind23 · 2022-03-31T13:28:50Z

@rdner @faec does this issue rings a bell on your end?

rdner · 2022-03-31T14:04:56Z

Our latest documentation claims Kerberos is supported:

To use GSSAPI mechanism to authenticate with Kerberos, you must leave this field empty, and use the kerberos options.

https://www.elastic.co/guide/en/beats/filebeat/current/kafka-output.html#_sasl_mechanism

However, we still don't have an integration test to track that it's working #29430

jlind23 · 2022-03-31T14:06:00Z

Closing this as this is supported and keeping #29430 open in order to add safety guards.

fbaligand · 2022-03-31T19:53:59Z

Hi,

If this issue is “done”, could you precise what will be beats release that includes this feature?

jlind23 · 2022-04-01T06:59:31Z

@fbaligand as of 7.17 kerberos feature was available in beta mode as stated here: https://www.elastic.co/guide/en/beats/filebeat/7.17/kafka-output.html#_sasl_mechanism

fbaligand · 2022-04-01T07:02:23Z

Thanks for the information.

AndreAga changed the title ~~Request: Kerberos Auth on Kafka Auth~~ Request: Kerberos Auth for Kafka Oct 20, 2017

andrewkroh added enhancement libbeat :Outputs labels Sep 18, 2018

jsoriano mentioned this issue Mar 26, 2019

Metricbeat not able to collect metrics from Kerberised Kafka #11420

Closed

nathanrstacey pinned this issue Jul 26, 2019

cwurm unpinned this issue Jul 29, 2019

faec self-assigned this Jan 7, 2020

faec added Team:Beats [zube]: Investigate labels Jan 7, 2020

andresrc mentioned this issue Jan 16, 2020

Evaluate options for Kerberos auth #15619

Closed

kvch assigned kvch and unassigned faec Feb 25, 2020

kvch added Team:Services (Deprecated) Label for the former Integrations-Services team and removed Team:Beats labels Feb 25, 2020

kvch removed their assignment Oct 7, 2021

jlind23 added Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team and removed Team:Services (Deprecated) Label for the former Integrations-Services team labels Mar 30, 2022

jlind23 mentioned this issue Mar 31, 2022

Add integration tests for Kerberos over Kafka #29430

Closed

jlind23 closed this as completed Mar 31, 2022

zube bot added [zube]: Done and removed [zube]: Inbox labels Mar 31, 2022

zube bot removed the [zube]: Done label Jun 30, 2022

Kerberos Authentication for Kafka #5413

Kerberos Authentication for Kafka #5413

Comments

AndreAga commented Oct 20, 2017

mellowonpsx commented Oct 20, 2017

gmoskovicz commented Jan 8, 2018

urso commented Jan 8, 2018

miko-code commented Feb 25, 2018

mmirabedini commented Apr 26, 2018

giezer commented Apr 28, 2018

ioah86 commented Jul 19, 2018

dounine commented Aug 28, 2018

mayank-mahajan-guavus commented Mar 26, 2019

nathanrstacey commented Jul 26, 2019

smaley07 commented Oct 16, 2019

vickhello commented Dec 11, 2019

Lswx2017 commented Jan 6, 2020

Yggdrassil80 commented Jan 13, 2020

mostlyjason commented Jan 24, 2020

moulisea commented Aug 20, 2020 via email

kvch commented Aug 24, 2020

moulisea commented Aug 24, 2020 via email

kvch commented Aug 24, 2020

moulisea commented Aug 24, 2020 via email

Ghaithjemai commented Oct 5, 2020

atalukdar commented Mar 2, 2021

elafontaine commented May 18, 2021

urso commented May 19, 2021

elafontaine commented May 21, 2021

elafontaine commented May 26, 2021

theforcebemay commented Jun 16, 2021

JunTaoYuan80 commented Oct 9, 2021

jaychouuu commented Nov 16, 2021

JunTaoYuan80 commented Nov 17, 2021

elasticmachine commented Mar 30, 2022

jlind23 commented Mar 31, 2022

rdner commented Mar 31, 2022

jlind23 commented Mar 31, 2022

fbaligand commented Mar 31, 2022

jlind23 commented Apr 1, 2022

fbaligand commented Apr 1, 2022