Environment:
- Streamsets Data Collector All version.
- Oracle Java 1.8u351.
Issue:
It has been observed that data collector and Kafka pipelineewith SASL protocol] starts failing after Java upgrade to 1.8u351 version.
This error appears on data collector logs:
abnormal exit: java.lang.RuntimeException: Could not get Kerberos credentials: javax.security.auth.login.LoginException: Unable to obtain password from user
Check STDERR for more details
java.lang.RuntimeException: Could not get Kerberos credentials: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.streamsets.datacollector.security.SecurityContext.login(SecurityContext.java:160)
at com.streamsets.datacollector.main.Main.doMain(Main.java:94)
at com.streamsets.datacollector.main.DataCollectorMain.main(DataCollectorMain.java:41)
Kafka pipeline errors:
GSS initiate failed dCaused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.
As per the java release notes, The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set “allow_weak_crypto = true” in the krb5.conf configuration file to re-enable them.
JDK 8u351 Update Release Notes:
https://www.oracle.com/java/technologies/javase/8u351-relnotes.html#JDK-8139348
➜ Deprecate 3DES and RC4 in Kerberos (JDK-8139348)
The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.
There are 2 options to fix the issue:
- Regenerate the keytab using the more secure type.
- As a temporary fix, We can set “allow_weak_crypto=true” in krb5.conf to allow those less secure encryption.
This is more of an environment related issue and needs to be checked by kerbrose and the platform team as well.