温馨提示 本文內容在使用
ttr-2.2.0版本之前,開啓Kerberos後才會遇到。後續版本已經做了處理,無需關注! 如果在部署、二開過程中,遇到任何問題可以讓作者幫你解決。
一、問題現象
在 Ambari 啓用 Kerberos 後啓動 Kafka 服務時,出現如下錯誤,Kafka 無法正常啓動。
[2025-10-29 10:53:11,598] INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
[2025-10-29 10:53:12,414] INFO starting (kafka.server.KafkaServer)
[2025-10-29 10:53:12,415] INFO Connecting to zookeeper on hadoop1:2181,hadoop2:2181,hadoop3:2181 (kafka.server.KafkaServer)
[2025-10-29 10:53:12,465] ERROR Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
java.lang.SecurityException: zookeeper.set.acl is true, but ZooKeeper client TLS configuration identifying at least kafka.server.KafkaConfig$@6572421.ZkSslClientEnableProp, kafka.server.KafkaConfig$@6572421.ZkClientCnxnSocketProp, and kafka.server.KafkaConfig$@6572421.ZkSslKeyStoreLocationProp was not present and the verification of the JAAS login file failed [java.security.auth.login.config=null, zookeeper.sasl.client=default:true, zookeeper.sasl.clientconfig=default:Client]
at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:445)
at kafka.server.KafkaServer.startup(KafkaServer.scala:191)
at kafka.Kafka$.main(Kafka.scala:109)
at kafka.Kafka.main(Kafka.scala)
[2025-10-29 10:53:12,473] INFO shutting down (kafka.server.KafkaServer)
[2025-10-29 10:53:12,486] INFO shut down completed (kafka.server.KafkaServer)
[2025-10-29 10:53:12,486] ERROR Exiting Kafka. (kafka.Kafka$)
[2025-10-29 10:53:12,488] INFO shutting down (kafka.server.KafkaServer)
[root@hadoop1 kafka]#
二、原因分析
從日誌看,java.security.auth.login.config=null,説明 Kafka 未正確加載 JAAS 登錄配置。 在 Kerberos 模式下,Kafka 依賴 KAFKA_KERBEROS_PARAMS 變量來傳遞 JAAS 文件路徑及認證參數。
而在 Ambari 2.2.0 以前版本,Kafka 環境模板(kafka-env.sh)中並未自動加入此變量, 導致即使啓用了 Kerberos,Kafka 進程仍然以默認參數啓動,從而報:
zookeeper.set.acl is true ... verification of the JAAS login file failed三、應急解決方案(無需重新部署)
可以直接在 Ambari Web → Kafka → 配置 → kafka-env template 中補充一行環境變量定義。
修改位置:
打開模板編輯:
在文件末尾加入以下內容:
export KAFKA_OPTS="$KAFKA_OPTS ${KAFKA_KERBEROS_PARAMS:+$KAFKA_KERBEROS_PARAMS }"修改後完整內容示例:
#!/bin/bash
# Set KAFKA specific environment variables here.
# The java implementation to use.
export JAVA_HOME={{java64_home}}
export PATH=$PATH:$JAVA_HOME/bin
export PID_DIR={{kafka_pid_dir}}
export LOG_DIR={{kafka_log_dir}}
{% if kerberos_security_enabled or kafka_other_sasl_enabled %}
export KAFKA_KERBEROS_PARAMS="-Djavax.security.auth.useSubjectCredsOnly=false {{kafka_kerberos_params}}"
{% else %}
export KAFKA_KERBEROS_PARAMS={{kafka_kerberos_params}}
{% endif %}
# Add kafka sink to classpath and related depenencies
if [ -e "/usr/lib/ambari-metrics-kafka-sink/ambari-metrics-kafka-sink.jar" ]; then
export CLASSPATH=$CLASSPATH:/usr/lib/ambari-metrics-kafka-sink/ambari-metrics-kafka-sink.jar
export CLASSPATH=$CLASSPATH:/usr/lib/ambari-metrics-kafka-sink/lib/*
fi
{% if stack_supports_kafka_env_include_ranger_script %}
if [ -f /etc/kafka/conf/kafka-ranger-env.sh ]; then
. /etc/kafka/conf/kafka-ranger-env.sh
fi
{% else %}
export CLASSPATH=$CLASSPATH:{{conf_dir}}
{% endif %}
export KAFKA_OPTS="$KAFKA_OPTS ${KAFKA_KERBEROS_PARAMS:+$KAFKA_KERBEROS_PARAMS }"四、説明與建議
版本説明
- Ambari ≤ 2.2.0:默認模板中 未包含
KAFKA_KERBEROS_PARAMS引用,必須手動添加。- Ambari ≥ 2.2.1:官方模板已合入該修復,不再需要人工干預。
