Authentication error with external users

kafka
connector

#1

I’m testing the last kafka-couchbase connector (3.2.3) with Couchbase 5.0.1. Using an internal user all works as expected and I can copy all the data from a bucket to a new topic. However, if I try to use the credentials of an external user kafka connect get the below error:

[2018-03-13 13:39:26,508] INFO Connect attempt to <sd>lab/xx.xxx.xx.xxx:11210</sd> failed. (com.couchbase.client.dcp.conductor.DcpChannel:125)
com.couchbase.client.core.endpoint.kv.AuthenticationException: SASL Authentication Failure
        at com.couchbase.client.dcp.transport.netty.AuthHandler.checkIsAuthed(AuthHandler.java:190)
        at com.couchbase.client.dcp.transport.netty.AuthHandler.channelRead0(AuthHandler.java:121)
        at com.couchbase.client.dcp.transport.netty.AuthHandler.channelRead0(AuthHandler.java:51)
        at com.couchbase.client.deps.io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
        at com.couchbase.client.deps.io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:312)
        at com.couchbase.client.deps.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:286)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
        at com.couchbase.client.deps.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1302)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
        at com.couchbase.client.deps.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
        at com.couchbase.client.deps.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at com.couchbase.client.deps.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:135)
        at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:646)
        at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:581)
        at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
        at com.couchbase.client.deps.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:460)
        at com.couchbase.client.deps.io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
        at com.couchbase.client.deps.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.lang.Thread.run(Thread.java:748)

#2

Hi Javier,

Can you try setting this environment variable before starting the connect worker?

export KAFKA_OPTS="-Dcom.couchbase.scramEnabled=false"

This should force the client to authenticate using PLAIN which is the only supported mechanism for external users.

Thanks,
David


#3

Thanks David, I will try it today. There is any issue registered on KAFKAC project or any documentation about this? I’m trying to find something official from Couchbase websites and for the moment with no results.


#4

Adding the property in all the Kafka Connect servers the connector works with an external user credentials :slight_smile:. Thank you David!


#5

That’s great news! I’ve filed KAFKAC-95 for adding this to the documentation.


#6

Hi @david.nault,

I had the same error using Java SDK directly and I resolved it using the same solution provided by you :slight_smile: