Data collector and Kafka pipeline started failing after Oracle Java upgrade to v1.8u351.

  • 21 November 2022
  • 0 replies
  • 218 views
AkshayJadhav
Rank
Userlevel 4
Badge

Environment: 

  • Streamsets Data Collector All version.
  • Oracle Java 1.8u351.

Issue:

It has been observed that data collector and Kafka pipeline[with SASL protocol] starts failing after Java upgrade to 1.8u351 version.

This error appears on data collector logs:

abnormal exit: java.lang.RuntimeException: Could not get Kerberos credentials: javax.security.auth.login.LoginException: Unable to obtain password from user
Check STDERR for more details
java.lang.RuntimeException: Could not get Kerberos credentials: javax.security.auth.login.LoginException: Unable to obtain password from user
    at com.streamsets.datacollector.security.SecurityContext.login(SecurityContext.java:160)
    at com.streamsets.datacollector.main.Main.doMain(Main.java:94)
    at com.streamsets.datacollector.main.DataCollectorMain.main(DataCollectorMain.java:41)

Kafka pipeline errors:

GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.

As per the java release notes, The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set “allow_weak_crypto = true” in the krb5.conf configuration file to re-enable them.

JDK 8u351 Update Release Notes:

https://www.oracle.com/java/technologies/javase/8u351-relnotes.html#JDK-8139348
 
 Deprecate 3DES and RC4 in Kerberos (JDK-8139348)

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

 There are 2 options to fix the issue:

  1. Regenerate the keytab using the more secure type.
  2. As a temporary fix, We can set “allow_weak_crypto=true” in krb5.conf to allow those less secure encryption.

 

This is more of an environment related issue and needs to be checked by kerbrose and the platform team as well. 

0 replies

Be the first to reply!

Reply


Terms & Conditions