Logstash group authorization error in Kafka Input

Suresh_Nataraj · November 7, 2017, 10:38am

Hi All,

I am getting the below error while trying to connect to Kafka from Logstash .

Exception in thread "Ruby-0-Thread-20: /Users/sn2/Desktop/logstash-5.6.1/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/lib/logstash/inputs/kafka.rb:229" org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: logstash

I am using Logstash Version 5.6.1 and Kafka version : 0.10.0.1. Kafka is provisioned in amazon AWS and it is using SSL Security Access.

Logstash Logs :

Sending Logstash's logs to /Users/sn2/Desktop/logstash-5.6.1/logs which is now configured via log4j2.properties
[2017-11-07T13:52:28,171][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/Users/sn2/Desktop/logstash-5.6.1/modules/fb_apache/configuration"}
[2017-11-07T13:52:28,175][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/Users/sn2/Desktop/logstash-5.6.1/modules/netflow/configuration"}
[2017-11-07T13:52:28,338][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
[2017-11-07T13:52:28,519][INFO ][logstash.pipeline        ] Pipeline main started
[2017-11-07T13:52:28,583][INFO ][org.apache.kafka.clients.consumer.ConsumerConfig] ConsumerConfig values: 
	metric.reporters = []
	metadata.max.age.ms = 300000
	partition.assignment.strategy = [org.apache.kafka.clients.consumer.RangeAssignor]
	reconnect.backoff.ms = 50
	sasl.kerberos.ticket.renew.window.factor = 0.8
	max.partition.fetch.bytes = 1048576
	bootstrap.servers = [kafka+ssl://ec2-34-205-227-216.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-233-75-247.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-198-118-170.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-231-150-104.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-233-209-20.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-233-131-252.compute-1.amazonaws.com:9096, kafka+ssl://ec2-52-205-198-73.compute-1.amazonaws.com:9096, kafka+ssl://ec2-52-4-109-80.compute-1.amazonaws.com:9096]
	ssl.keystore.type = JKS
	enable.auto.commit = true
	sasl.mechanism = GSSAPI
	interceptor.classes = null
	exclude.internal.topics = true
	ssl.truststore.password = [hidden]
	client.id = logstash-0
	ssl.endpoint.identification.algorithm = null
	max.poll.records = 2147483647
	check.crcs = true
	request.timeout.ms = 40000
	heartbeat.interval.ms = 3000
	auto.commit.interval.ms = 5000
	receive.buffer.bytes = 65536
	ssl.truststore.type = JKS
	ssl.truststore.location = ssl_truststore.jks
	ssl.keystore.password = [hidden]
	fetch.min.bytes = 1
	send.buffer.bytes = 131072
	value.deserializer = class org.apache.kafka.common.serialization.StringDeserializer
	group.id = logstash
	retry.backoff.ms = 100
	sasl.kerberos.kinit.cmd = /usr/bin/kinit
	sasl.kerberos.service.name = null
	sasl.kerberos.ticket.renew.jitter = 0.05
	ssl.trustmanager.algorithm = PKIX
	ssl.key.password = null
	fetch.max.wait.ms = 500
	sasl.kerberos.min.time.before.relogin = 60000
	connections.max.idle.ms = 540000
	session.timeout.ms = 30000
	metrics.num.samples = 2
	key.deserializer = class org.apache.kafka.common.serialization.StringDeserializer
	ssl.protocol = TLS
	ssl.provider = null
	ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
	ssl.keystore.location = ssl_keystore.jks
	ssl.cipher.suites = null
	security.protocol = SSL
	ssl.keymanager.algorithm = SunX509
	metrics.sample.window.ms = 30000
	auto.offset.reset = latest

[2017-11-07T13:52:28,587][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2017-11-07T13:52:29,773][INFO ][org.apache.kafka.clients.consumer.ConsumerConfig] ConsumerConfig values: 
	metric.reporters = []
	metadata.max.age.ms = 300000
	partition.assignment.strategy = [org.apache.kafka.clients.consumer.RangeAssignor]
	reconnect.backoff.ms = 50
	sasl.kerberos.ticket.renew.window.factor = 0.8
	max.partition.fetch.bytes = 1048576
	bootstrap.servers = [kafka+ssl://ec2-34-205-227-216.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-233-75-247.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-198-118-170.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-231-150-104.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-233-209-20.compute-1.amazonaws.com:9096, kafka+ssl://ec2-34-233-131-252.compute-1.amazonaws.com:9096, kafka+ssl://ec2-52-205-198-73.compute-1.amazonaws.com:9096, kafka+ssl://ec2-52-4-109-80.compute-1.amazonaws.com:9096]
	ssl.keystore.type = JKS
	enable.auto.commit = true
	sasl.mechanism = GSSAPI
	interceptor.classes = null
	exclude.internal.topics = true
	ssl.truststore.password = [hidden]
	client.id = logstash-0
	ssl.endpoint.identification.algorithm = null
	max.poll.records = 2147483647
	check.crcs = true
	request.timeout.ms = 40000
	heartbeat.interval.ms = 3000
	auto.commit.interval.ms = 5000
	receive.buffer.bytes = 65536
	ssl.truststore.type = JKS
	ssl.truststore.location = ssl_truststore.jks
	ssl.keystore.password = [hidden]
	fetch.min.bytes = 1
	send.buffer.bytes = 131072
	value.deserializer = class org.apache.kafka.common.serialization.StringDeserializer
	group.id = logstash
	retry.backoff.ms = 100
	sasl.kerberos.kinit.cmd = /usr/bin/kinit
	sasl.kerberos.service.name = null
	sasl.kerberos.ticket.renew.jitter = 0.05
	ssl.trustmanager.algorithm = PKIX
	ssl.key.password = null
	fetch.max.wait.ms = 500
	sasl.kerberos.min.time.before.relogin = 60000
	connections.max.idle.ms = 540000
	session.timeout.ms = 30000
	metrics.num.samples = 2
	key.deserializer = class org.apache.kafka.common.serialization.StringDeserializer
	ssl.protocol = TLS
	ssl.provider = null
	ssl.enabled.protocols = [TLSv1.2, TLSv1.1, TLSv1]
	ssl.keystore.location = ssl_keystore.jks
	ssl.cipher.suites = null
	security.protocol = SSL
	ssl.keymanager.algorithm = SunX509
	metrics.sample.window.ms = 30000
	auto.offset.reset = latest

[2017-11-07T13:52:29,798][INFO ][org.apache.kafka.common.utils.AppInfoParser] Kafka version : 0.10.0.1
[2017-11-07T13:52:29,798][INFO ][org.apache.kafka.common.utils.AppInfoParser] Kafka commitId : a7a17cdec9eaa6c5
Exception in thread "Ruby-0-Thread-20: /Users/sn2/Desktop/logstash-5.6.1/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/lib/logstash/inputs/kafka.rb:229" org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: logstash
[2017-11-07T13:52:31,542][WARN ][logstash.agent           ] stopping pipeline {:id=>"main"}

Thanks,
Suresh

guyboertje · November 8, 2017, 3:58pm

Does this link help?

https://groups.google.com/forum/#!topic/confluent-platform/Yj0ToxYS0Zk

Suresh_Nataraj · November 8, 2017, 6:01pm

This looks good to me . But I am using Kafka in AWS Cloud which is an addon inside heroku platform . There is no way to modify the ACLs .

I am able to connect from Python Code to that Kafka Instance , But not with Logstash .

guyboertje · November 8, 2017, 6:08pm

Does the python code use exactly the same settings for ssl and kerberos?

Suresh_Nataraj · November 8, 2017, 6:14pm

I am putting the python code here :

from kafka import KafkaProducer, KafkaConsumer
import os
from urllib.parse import urlparse
from tempfile import NamedTemporaryFile
from base64 import standard_b64encode
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
from cryptography import x509
import ssl

def get_kafka_ssl_context():

    if os.environ.get('KAFKA_CLIENT_CERT')== None:
        ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile='KAFKA_TRUSTED_CERT.crt')
        ssl_context.load_cert_chain('KAFKA_CLIENT_CERT.crt', keyfile='KAFKA_CLIENT_CERT_KEY.key')
    else:
        with NamedTemporaryFile(suffix='.crt') as cert_file, \
         NamedTemporaryFile(suffix='.key') as key_file, \
         NamedTemporaryFile(suffix='.crt') as trust_file:
         cert_file.write(os.environ['KAFKA_CLIENT_CERT'].encode('utf-8'))
         cert_file.flush()
         passwd = standard_b64encode(os.urandom(33))
         private_key = serialization.load_pem_private_key(
            os.environ['KAFKA_CLIENT_CERT_KEY'].encode('utf-8'),
            password=None,
            backend=default_backend()
            )
         pem = private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.PKCS8,
            encryption_algorithm=serialization.BestAvailableEncryption(passwd)
            )
         key_file.write(pem)
         key_file.flush()

         trust_file.write(os.environ['KAFKA_TRUSTED_CERT'].encode('utf-8'))
         trust_file.flush()

         # create an SSLContext for passing into the kafka provider using the create_default_context
         # function which creates an SSLContext with protocol set to PROTOCOL_SSLv23, OP_NO_SSLv2,
         # and OP_NO_SSLv3 when purpose=SERVER_AUTH.
         ssl_context = ssl.create_default_context(
            purpose=ssl.Purpose.SERVER_AUTH, cafile=trust_file.name)
         ssl_context.load_cert_chain(cert_file.name, keyfile=key_file.name, password=passwd)


    ssl_context.check_hostname = False
    return ssl_context

def get_kafka_brokers():
    """
    Parses the KAKFA_URL and returns a list of hostname:port pairs in the format
    that kafka-python expects.
    """
    # NOTE: The Kafka environment variables need to be present. If using
    # Apache Kafka on Heroku, they will be available in your app configuration.
    if not os.environ.get('KAFKA_URL'):
        raise RuntimeError('The KAFKA_URL config variable is not set.')

    return ['{}:{}'.format(parsedUrl.hostname, parsedUrl.port) for parsedUrl in
            [urlparse(url) for url in os.environ.get('KAFKA_URL').split(',')]]

def get_kafka_consumer(topic=None,
                       value_deserializer=lambda v: json.loads(v.decode('utf-8'))):
    """
    Return a KafkaConsumer that uses the SSLContext created with create_ssl_context.
    """

    # Create the KafkaConsumer connected to the specified brokers. Use the
    # SSLContext that is created with create_ssl_context.
    consumer = KafkaConsumer(
        topic,
        bootstrap_servers=get_kafka_brokers(),
        security_protocol='SSL',
        ssl_context=get_kafka_ssl_context(),
        value_deserializer=value_deserializer
    )

    return consumer

import json
import subprocess
print('Process Start:')
consumer = get_kafka_consumer(topic='tennessee-18188.uspto')
print('Waiting for Message :')
for message in consumer:
    print(message)

In Python it directly took certificates and Key from environment files/variables. In logstash , I had to change it to JKS format using keytool and openssl commands .

system · December 6, 2017, 6:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.