Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KRaft Mode with OAuth: Kafka Fails to Recognize JAAS Configuration in Bitnami Docker Image #76696

Open
mehmeteminduran opened this issue Jan 28, 2025 · 1 comment
Open

KRaft Mode with OAuth: Kafka Fails to Recognize JAAS Configuration in Bitnami Docker Image #76696

mehmeteminduran opened this issue Jan 28, 2025 · 1 comment
Assignees
@carrodher
Labels
kafka tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@mehmeteminduran
Copy link

mehmeteminduran commented Jan 28, 2025
edited by carrodher
Loading

Name and Version

bitnami/kafka:latest

What architecture are you using?

None

What steps will reproduce the bug?

version: '3.8'

services:
  kafka1:
    image: docker.io/bitnami/kafka:latest
    ports:
      - "9092:9092"
      - "9093:9093"
      - "9094:9094"
    depends_on:
      keycloak:
        condition: service_healthy
    environment:
      # KRaft Configuration
      KAFKA_ENABLE_KRAFT: "true"
      KAFKA_CFG_NODE_ID: 1
      KAFKA_CFG_PROCESS_ROLES: broker,controller
      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 1@kafka1:9093,2@kafka2:9093,3@kafka3:9093
      KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER
      #KAFKA_LISTENERS: SASL_SSL://:9092,CONTROLLER://:9093
      #KAFKA_ADVERTISED_LISTENERS: SASL_SSL://kafka1:9092
      #KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SASL_SSL:SASL_SSL,CONTROLLER:SASL_SSL
      KAFKA_CFG_SASL_MECHANISM_CONTROLLER_PROTOCOL: OAUTHBEARER

      # Listener Configuration
      KAFKA_CFG_LISTENERS: SASL_SSL://:9092,CONTROLLER://:9093
      KAFKA_CFG_ADVERTISED_LISTENERS: SASL_SSL://kafka1:9092
      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: SASL_SSL:SASL_SSL,CONTROLLER:SASL_SSL 
      
      # Security Configuration
      KAFKA_CFG_SASL_MECHANISMS: OAUTHBEARER
      KAFKA_CFG_SASL_ENABLED_MECHANISMS: OAUTHBEARER
      KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL: OAUTHBEARER
      KAFKA_CFG_SECURITY_INTER_BROKER_PROTOCOL: SASL_SSL
      
      # SASL Configuration
      KAFKA_CFG_SASL_LOGIN_CALLBACK_HANDLER_CLASS: org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
      KAFKA_CFG_SASL_SERVER_CALLBACK_HANDLER_CLASS: org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
      #KAFKA_CFG_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub=\"admin\" oauth.client.id=\"kafka-broker-client\" oauth.client.secret=\"kafka-broker-secret\" oauth.token.endpoint.uri=\"http://keycloak:8081/auth/realms/kafka-realm/protocol/openid-connect/token\";"
      KAFKA_CFG_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
        unsecuredLoginStringClaim_sub=\"admin\" \
        oauth.client.id=\"kafka-broker-client\" \
        oauth.client.secret=\"kafka-broker-secret\" \
        oauth.token.endpoint.uri=\"http://keycloak:8081/realms/kafka-realm/protocol/openid-connect/token\"; \
        oauth.scope=\"openid\";" 
      KAFKA_OPTS: "-Djava.security.auth.login.config=/bitnami/kafka/config/kafka_server_jaas.conf"
      # SSL Configuration
      KAFKA_SSL_KEYSTORE_LOCATION: /bitnami/kafka/config/certs/kafka.keystore.jks
      KAFKA_SSL_KEYSTORE_PASSWORD: "123456"
      KAFKA_SSL_KEY_PASSWORD: "123456"
      KAFKA_SSL_TRUSTSTORE_LOCATION: /bitnami/kafka/config/certs/kafka.truststore.jks
      KAFKA_SSL_TRUSTSTORE_PASSWORD: "123456"
      
      KAFKA_CLUSTER_ID: "kafka-cluster-1" 
    volumes:
      - kafka1_data:/bitnami/kafka
      - ./kafka/secrets:/bitnami/kafka/config/certs
      - ./kafka/kafka_server_jaas.conf:/bitnami/kafka/config/kafka_server_jaas.conf
    networks:
      - kafka-net

  kafka2:
    image: docker.io/bitnami/kafka:latest
    ports:
      - "19092:9092"
      - "19093:9093"
      - "19094:9094"
    depends_on:
      keycloak:
        condition: service_healthy
    environment:
      # KRaft Configuration
      KAFKA_ENABLE_KRAFT: "true"
      KAFKA_CFG_NODE_ID: 2
      KAFKA_CFG_PROCESS_ROLES: broker,controller
      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 1@kafka1:9093,2@kafka2:9093,3@kafka3:9093
      KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER
      #KAFKA_LISTENERS: SASL_SSL://:19092,CONTROLLER://:19093
      #KAFKA_ADVERTISED_LISTENERS: SASL_SSL://kafka2:9092
      #KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SASL_SSL:SASL_SSL,CONTROLLER:SASL_SSL
      KAFKA_CFG_SASL_MECHANISM_CONTROLLER_PROTOCOL: OAUTHBEARER 

      # Listener Configuration
      KAFKA_CFG_LISTENERS: SASL_SSL://:19092,CONTROLLER://:19093
      KAFKA_CFG_ADVERTISED_LISTENERS: SASL_SSL://kafka2:19092
      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: SASL_SSL:SASL_SSL,CONTROLLER:SASL_SSL
      
      # Security Configuration
      KAFKA_CFG_SASL_MECHANISMS: OAUTHBEARER
      KAFKA_CFG_SASL_ENABLED_MECHANISMS: OAUTHBEARER
      KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL: OAUTHBEARER
      KAFKA_CFG_SECURITY_INTER_BROKER_PROTOCOL: SASL_SSL
      
      # SASL Configuration
      KAFKA_CFG_SASL_LOGIN_CALLBACK_HANDLER_CLASS: org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
      KAFKA_CFG_SASL_SERVER_CALLBACK_HANDLER_CLASS: org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
      #KAFKA_CFG_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub=\"admin\" oauth.client.id=\"kafka-broker-client\" oauth.client.secret=\"kafka-broker-secret\" oauth.token.endpoint.uri=\"http://keycloak:8081/auth/realms/kafka-realm/protocol/openid-connect/token\";"
      KAFKA_CFG_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
        unsecuredLoginStringClaim_sub=\"admin\" \
        oauth.client.id=\"kafka-broker-client\" \
        oauth.client.secret=\"kafka-broker-secret\" \
        oauth.token.endpoint.uri=\"http://keycloak:8081/realms/kafka-realm/protocol/openid-connect/token\"; \
        oauth.scope=\"openid\";"
      KAFKA_OPTS: "-Djava.security.auth.login.config=/bitnami/kafka/config/kafka_server_jaas.conf"
      # SSL Configuration
      KAFKA_SSL_KEYSTORE_LOCATION: /bitnami/kafka/config/certs/kafka.keystore.jks
      KAFKA_SSL_KEYSTORE_PASSWORD: "123456"
      KAFKA_SSL_KEY_PASSWORD: "123456"
      KAFKA_SSL_TRUSTSTORE_LOCATION: /bitnami/kafka/config/certs/kafka.truststore.jks
      KAFKA_SSL_TRUSTSTORE_PASSWORD: "123456"
      
      KAFKA_CLUSTER_ID: "kafka-cluster-1" 

    volumes:
      - kafka2_data:/bitnami/kafka
      - ./kafka/secrets:/bitnami/kafka/config/certs
      - ./kafka/kafka_server_jaas.conf:/bitnami/kafka/config/kafka_server_jaas.conf
    networks:
      - kafka-net

  kafka3:
    image: docker.io/bitnami/kafka:latest
    ports:
      - "29092:9092"
      - "29093:9093"
      - "29094:9094"
    depends_on:
      keycloak:
        condition: service_healthy
    environment:
      # KRaft Configuration
      KAFKA_ENABLE_KRAFT: "true"
      KAFKA_CFG_NODE_ID: 3
      KAFKA_CFG_PROCESS_ROLES: broker,controller
      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 1@kafka1:9093,2@kafka2:9093,3@kafka3:9093
      KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER
      #KAFKA_LISTENERS: SASL_SSL://:29092,CONTROLLER://:29093
      #KAFKA_ADVERTISED_LISTENERS: SASL_SSL://kafka3:9092
      #KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SASL_SSL:SASL_SSL,CONTROLLER:SASL_SSL
      KAFKA_CFG_SASL_MECHANISM_CONTROLLER_PROTOCOL: OAUTHBEARER

      # Listener Configuration
      KAFKA_CFG_LISTENERS: SASL_SSL://:29092,CONTROLLER://:29093
      KAFKA_CFG_ADVERTISED_LISTENERS: SASL_SSL://kafka3:29092
      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: SASL_SSL:SASL_SSL,CONTROLLER:SASL_SSL 
      
      # Security Configuration
      KAFKA_CFG_SASL_MECHANISMS: OAUTHBEARER
      KAFKA_CFG_SASL_ENABLED_MECHANISMS: OAUTHBEARER
      KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL: OAUTHBEARER
      KAFKA_CFG_SECURITY_INTER_BROKER_PROTOCOL: SASL_SSL
      
      # SASL Configuration
      KAFKA_CFG_SASL_LOGIN_CALLBACK_HANDLER_CLASS: org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
      KAFKA_CFG_SASL_SERVER_CALLBACK_HANDLER_CLASS: org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
      #KAFKA_CFG_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub=\"admin\" oauth.client.id=\"kafka-broker-client\" oauth.client.secret=\"kafka-broker-secret\" oauth.token.endpoint.uri=\"http://keycloak:8081/auth/realms/kafka-realm/protocol/openid-connect/token\";"
      KAFKA_CFG_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
        unsecuredLoginStringClaim_sub=\"admin\" \
        oauth.client.id=\"kafka-broker-client\" \
        oauth.client.secret=\"kafka-broker-secret\" \
        oauth.token.endpoint.uri=\"http://keycloak:8081/realms/kafka-realm/protocol/openid-connect/token\"; \
        oauth.scope=\"openid\";"
      KAFKA_OPTS: "-Djava.security.auth.login.config=/bitnami/kafka/config/kafka_server_jaas.conf"
      # SSL Configuration
      KAFKA_SSL_KEYSTORE_LOCATION: /bitnami/kafka/config/certs/kafka.keystore.jks
      KAFKA_SSL_KEYSTORE_PASSWORD: "123456"
      KAFKA_SSL_KEY_PASSWORD: "123456"
      KAFKA_SSL_TRUSTSTORE_LOCATION: /bitnami/kafka/config/certs/kafka.truststore.jks
      KAFKA_SSL_TRUSTSTORE_PASSWORD: "123456"
      KAFKA_TLS_TYPE: JKS
      KAFKA_CLUSTER_ID: "kafka-cluster-1" 

    volumes:
      - kafka3_data:/bitnami/kafka
      - ./kafka/secrets:/bitnami/kafka/config/certs
      - ./kafka/kafka_server_jaas.conf:/bitnami/kafka/config/kafka_server_jaas.conf
    networks:
      - kafka-net


  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_HEALTH_ENABLED: true
      KC_METRICS_ENABLED: true
    command:
      - start-dev
      - --hostname=localhost
      - --http-port=8081
      - --hostname-strict=false
      - --import-realm
    volumes:
      - ./kafka-realm.json:/opt/keycloak/data/import/realm.json
    ports:
      - "8081:8081"
    networks:
      - kafka-net 
    healthcheck:
      test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8081;echo -e 'GET /health/ready HTTP/1.1\r\nhost: http://localhost\r\nConnection: close\r\n\r\n' >&3;if [ $? -eq 0 ]; then echo 'Healthcheck Successful';exit 0;else echo 'Healthcheck Failed';exit 1;fi;"] 
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 20s 
volumes:
  kafka1_data:
  kafka2_data:
  kafka3_data:
networks:
  kafka-net:
    driver: bridge

What do you see instead?

2025-01-28 12:34:56 [2025-01-28 09:34:56,898] ERROR Encountered fatal fault: caught exception (org.apache.kafka.server.fault.ProcessTerminatingFaultHandler)
2025-01-28 12:34:56 java.lang.IllegalArgumentException: Login module not specified in JAAS config

Additional information

When configuring Apache Kafka in KRaft mode with OAuth authentication, Kafka fails to recognize the JAAS configuration, resulting in the following error:

java.lang.IllegalArgumentException: Login module not specified in JAAS config

Kafka running in a Bitnami Docker image (bitnami/kafka:latest)
KAFKA_OPTS correctly set:
-Djava.security.auth.login.config=/bitnami/kafka/config/kafka_server_jaas.conf
The kafka_server_jaas.conf file is correctly mounted and contains a valid JAAS configuration.
KAFKA_CFG_SASL_JAAS_CONFIG is also set as an environment variable.

Steps to Reproduce:

Deploy Kafka in KRaft mode using Bitnami’s Docker image.
Configure OAuth SASL authentication using JAAS (kafka_server_jaas.conf).
Start Kafka and check logs.
Kafka fails with the error "Login module not specified in JAAS config" despite the JAAS file being present.
Expected Behavior:
****Kafka should properly recognize the kafka_server_jaas.conf file and authenticate using OAuth.

Actual Behavior:
Kafka fails at startup, indicating that the login module is missing, even though the JAAS configuration is correctly provided via KAFKA_OPTS.

Possible Causes:

Bitnami image may not be properly recognizing KAFKA_OPTS for JAAS configuration.
Kafka might be prioritizing KAFKA_CFG_SASL_JAAS_CONFIG over java.security.auth.login.config.
Multi-line YAML handling in docker-compose.yml may be causing issues with JAAS parsing.
Workarounds Attempted:

Explicitly setting KAFKA_OPTS in Dockerfile instead of docker-compose.yml.
Using different Kafka versions (3.4.0, latest).
Confirmed that the JAAS file is correctly mounted inside the container.
@mehmeteminduran mehmeteminduran added the tech-issues The user has a technical issue about an application label Jan 28, 2025
@github-actions github-actions bot added the triage Triage is needed label Jan 28, 2025
@carrodher
Copy link
Member

Thank you for bringing this issue to our attention. We appreciate your involvement! If you're interested in contributing a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Feel free to reach out if you have any questions or need assistance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carrodher carrodher

Labels
kafka tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carrodher @mehmeteminduran