背景
- pulsar集群版本为2.7.0
- pulsar配置了基于kerberos的安全认证
- 在
conf/broker.conf
文件里配置了saslJaasBrokerSectionName=MQBroker
- 在jaas文件中部分配置如下:
MQBroker {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="${pulsar_keytab_path}/${broker_server_keytab_name}"
principal="broker/REPLACE_HN@${krb5_realm}";
};
.........
错误
broker启动后,报错如下:
20:52:23.227 [main] ERROR org.apache.pulsar.common.sasl.JAASCredentialsContainer - No JAAS Configuration section header found for Client: loginContext name (JAAS file section header) was null. Please check your java.security.login.auth.config (=null) for section header: PulsarBroker
20:52:23.227 [main] ERROR org.apache.pulsar.broker.authentication.AuthenticationProviderSasl - JAAS login in broker failed
javax.security.auth.login.LoginException: loginContext name (JAAS file section header) was null. Please check your java.security.login.auth.config (=null) for section header: PulsarBroker
at org.apache.pulsar.common.sasl.JAASCredentialsContainer.<init>(JAASCredentialsContainer.java:69) ~[org.apache.pulsar-pulsar-common-2.7.0.jar:2.7.0]
at org.apache.pulsar.broker.authentication.AuthenticationProviderSasl.initialize(AuthenticationProviderSasl.java:88) [org.apache.pulsar-pulsar-broker-auth-sasl-2.7.0.jar:2.7.0]
at org.apache.pulsar.broker.authentication.AuthenticationService.<init>(AuthenticationService.java:57) [org.apache.pulsar-pulsar-broker-common-2.7.0.jar:2.7.0]
at org.apache.pulsar.broker.service.BrokerService.<init>(BrokerService.java:305) [org.apache.pulsar-pulsar-broker-2.7.0.jar:2.7.0]
at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:463) [org.apache.pulsar-pulsar-broker-2.7.0.jar:2.7.0]
at org.apache.pulsar.PulsarBrokerStarter$BrokerStarter.start(PulsarBrokerStarter.java:277) [org.apache.pulsar-pulsar-broker-2.7.0.jar:2.7.0]
at org.apache.pulsar.PulsarBrokerStarter.main(PulsarBrokerStarter.java:346) [org.apache.pulsar-pulsar-broker-2.7.0.jar:2.7.0]
原因
- 虽然配置sectionName为
MQBroker
,但是貌似配置没生效,还是用的默认SectionNamePulsarBroker
- 查看源码文件
pulsar-broker-common\src\main\java\org\apache\pulsar\broker\ServiceConfiguration.java
,注:版本为2.7.0,发现如下源码
@FieldContext(
category = CATEGORY_SASL_AUTH,
doc = "Service Principal, for login context name. Default value is \"PulsarBroker\"."
)
private String saslJaasServerSectionName = SaslConstants.JAAS_DEFAULT_BROKER_SECTION_NAME;
- 查看源码可发现,Broker加载配置时,加载的是配置项是
saslJaasServerSectionName
,而不是saslJaasBrokerSectionName
,估计是一个小bug。
解决方法
方案一:
将broker.conf文件中的配置项改为由saslJaasBrokerSectionName
改为saslJaasServerSectionName
方案二
将源码pulsar-broker-common\src\main\java\org\apache\pulsar\broker\ServiceConfiguration.java
中相关的配置项由saslJaasServerSectionName
改为saslJaasBrokerSectionName
,重新编译源码后将相关jar包替代集群中对应的lib包。
方案一较简单,亲测可行;
方案二较麻烦,没有亲自测试,但是理论上应该是可以的。