Schema Registry with SASL in docker compose

Question

Schema Registry with SASL in docker compose

621 Views Asked by A. Vasyukhin At 23 May 2023 at 08:52

I have Kafka, Zookeeper, and Schema-Registry in a following network:

---
version: '3_7'

services:
  zookeeper:
    image: confluentinc/cp-zookeeper
    volumes:
      - ./data/zookeeper_jaas.conf:/opt/zookeeper_jaas.conf
    hostname: zookeeper
    container_name: zookeeper
    ports:
      - "2181:2181"
    networks:
      - network
    environment:
      ZOOKEEPER_CLIENT_PORT: 2181
      ZOOKEEPER_TICK_TIME: 2000
      KAFKA_OPTS: "-Djava.security.auth.login.config=/opt/zookeeper_jaas.conf"
    command: ["/bin/bash", "-c", "echo 'authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider' >> /etc/kafka/zookeeper.properties && echo 'jaasLoginRenew=3600000' >> /etc/kafka/zookeeper.properties && echo 'requireClientAuthScheme=sasl' >> /etc/kafka/zookeeper.properties && /etc/confluent/docker/run"]




  broker:
    image: confluentinc/cp-kafka
    volumes:
      - ./data/kafka_server_jaas.conf:/opt/kafka_server_jaas.conf
    hostname: broker
    container_name: broker
    depends_on:
      - zookeeper
    ports:
      - "9093:9093" # SASL_PLAINTEXT
    networks:
      - network
    environment:
      KAFKA_BROKER_ID: 1
      KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: SASL_PLAINTEXT:SASL_PLAINTEXT
      KAFKA_LISTENERS: "SASL_PLAINTEXT://broker:9093"
      KAFKA_ADVERTISED_LISTENERS: "SASL_PLAINTEXT://broker:9093"
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_SECURITY_INTER_BROKER_PROTOCOL: "SASL_PLAINTEXT"
      KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: "PLAIN"
      KAFKA_SASL_ENABLED_MECHANISMS: "PLAIN"
      KAFKA_OPTS: "-Djava.security.auth.login.config=/opt/kafka_server_jaas.conf"



  schema-registry:
    image: confluentinc/cp-schema-registry
    volumes:
      - ./data/kafka_client_jaas.conf:/opt/kafka_client_jaas.conf
    hostname: schema-registry
    container_name: schema-registry
    depends_on:
      - broker
    ports:
      - "8081:8081"
    networks:
      - network
    environment:
      SCHEMA_REGISTRY_HOST_NAME: schema-registry
      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: 'broker:9093'
      SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL: WARN
      SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SASL_PLAINTEXT
      SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: PLAIN
      SCHEMA_REGISTRY_OPTS: "-Djava.security.auth.login.config=/opt/kafka_client_jaas.conf"




networks:
  network:
    name: network

But schema-registry is always exiting after start:

NAME                COMMAND                  SERVICE             STATUS              PORTS
broker              "/etc/confluent/dock…"   broker              running             9092/tcp, 0.0.0.0:9093->9093/tcp, :::9093->9093/tcp
schema-registry     "/etc/confluent/dock…"   schema-registry     exited (1)          
zookeeper           "/bin/bash -c 'echo …"   zookeeper           running             0.0.0.0:2181->2181/tcp, :::2181->2181/tcp, 2888/tcp, 3888/tcp

With following error:

===> User
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
===> Configuring ...
===> Running preflight checks ... 
===> Check if Kafka is healthy ...
[2023-05-23 08:07:14,063] ERROR Error while running kafka-ready. (io.confluent.admin.utils.cli.KafkaReadyCommand)
org.apache.kafka.common.KafkaException: Failed to create new KafkaAdminClient
        at org.apache.kafka.clients.admin.KafkaAdminClient.createInternal(KafkaAdminClient.java:551)
        at org.apache.kafka.clients.admin.Admin.create(Admin.java:144)
        at org.apache.kafka.clients.admin.AdminClient.create(AdminClient.java:49)
        at io.confluent.admin.utils.ClusterStatus.isKafkaReady(ClusterStatus.java:136)
        at io.confluent.admin.utils.cli.KafkaReadyCommand.main(KafkaReadyCommand.java:149)
Caused by: java.lang.IllegalArgumentException: Could not find a 'KafkaClient' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set
        at org.apache.kafka.common.security.JaasContext.defaultContext(JaasContext.java:150)
        at org.apache.kafka.common.security.JaasContext.load(JaasContext.java:103)
        at org.apache.kafka.common.security.JaasContext.loadClientContext(JaasContext.java:87)
        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:167)
        at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:81)
        at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:105)
        at org.apache.kafka.clients.admin.KafkaAdminClient.createInternal(KafkaAdminClient.java:522)
        ... 4 more

Kafka Client config in kafka_client_jaas.conf looks like this:

KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required 
  username="kafka" 
  password="kafka-secret";
};

How can I fix it? This error started appear after I added jaas to the configuration, so it seems related, but looks like it's same as in documentation.

Original Q&A

There are 1 best solutions below

**A. Vasyukhin** · Answer 1 · 2023-05-25T06:39:27.110000

A. Vasyukhin On 25 May 2023 at 06:39

I need to use KAFKA_OPTS in place of SCHEMA_REGISTRY to connect from registry instead of connecting to it.

Schema Registry with SASL in docker compose

There are 1 best solutions below

Related Questions in APACHE-KAFKA

Related Questions in DOCKER-COMPOSE

Related Questions in CONFLUENT-SCHEMA-REGISTRY

Related Questions in JAAS

Trending Questions

Popular # Hahtags

Popular Questions