Skip to main content

Environment: 

  • Streamsets Data Collector All version.
  • Oracle Java 1.8u351.

Issue:

It has been observed that data collector and Kafka pipelineewith SASL protocol] starts failing after Java upgrade to 1.8u351 version.

This error appears on data collector logs:

abnormal exit: java.lang.RuntimeException: Could not get Kerberos credentials: javax.security.auth.login.LoginException: Unable to obtain password from user
Check STDERR for more details
java.lang.RuntimeException: Could not get Kerberos credentials: javax.security.auth.login.LoginException: Unable to obtain password from user
    at com.streamsets.datacollector.security.SecurityContext.login(SecurityContext.java:160)
    at com.streamsets.datacollector.main.Main.doMain(Main.java:94)
    at com.streamsets.datacollector.main.DataCollectorMain.main(DataCollectorMain.java:41)

Kafka pipeline errors:

GSS initiate failed dCaused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTHENTICATION_FAILED state.

As per the java release notes, The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set “allow_weak_crypto = true” in the krb5.conf configuration file to re-enable them.

JDK 8u351 Update Release Notes:

https://www.oracle.com/java/technologies/javase/8u351-relnotes.html#JDK-8139348
 
 Deprecate 3DES and RC4 in Kerberos (JDK-8139348)

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

 There are 2 options to fix the issue:

  1. Regenerate the keytab using the more secure type.
  2. As a temporary fix, We can set “allow_weak_crypto=true” in krb5.conf to allow those less secure encryption.

 

This is more of an environment related issue and needs to be checked by kerbrose and the platform team as well. 

Be the first to reply!

Reply


Terms & Conditions