Why kafka-python fails to connect to Bluemix message hub service?

3
votes

I'm trying to connect to a Bluemix Message Hub instance on http://bluemix.net. This simple script

#!/usr/bin/env python 

from kafka import KafkaProducer 
from kafka.errors import KafkaError 

kafka_brokers_sasl = [
  "kafka01-prod01.messagehub.services.us-south.bluemix.net:9093",
  "kafka02-prod01.messagehub.services.us-south.bluemix.net:9093",
  "kafka03-prod01.messagehub.services.us-south.bluemix.net:9093",
  "kafka04-prod01.messagehub.services.us-south.bluemix.net:9093",
  "kafka05-prod01.messagehub.services.us-south.bluemix.net:9093" ] 
sasl_plain_username = "xxxxxxxxxxxxxxx" 
sasl_plain_password = "xxxxxxxxxxxxxxxxxxxxxxxxx" 
sasl_mechanism = 'SASL_PLAINTEXT' 

producer = KafkaProducer(bootstrap_servers = kafka_brokers_sasl,
                         sasl_plain_username = sasl_plain_username,
                         sasl_plain_password = sasl_plain_password,
                         sasl_mechanism = sasl_mechanism )

ends with the exception below:

Traceback (most recent call last): 
  File "./test-mh.py", line 12, in <module> 
    producer = KafkaProducer(bootstrap_servers = kafka_brokers_sasl, sasl_plain_username = sasl_plain_username, sasl_plain_password = sasl_plain_password, sasl_mechanism = sasl_mechanism ) 
  File "/usr/local/lib/python2.7/dist-packages/kafka/producer/kafka.py", line 328, in __init__ 
    **self.config) 
  File "/usr/local/lib/python2.7/dist-packages/kafka/client_async.py", line 202, in __init__ 
    self.config['api_version'] = self.check_version(timeout=check_timeout) 
  File "/usr/local/lib/python2.7/dist-packages/kafka/client_async.py", line 791, in check_version 
    raise Errors.NoBrokersAvailable() 
kafka.errors.NoBrokersAvailable: NoBrokersAvailable

I've got kafka_brokers_sasl, sasl_plain_username, and sasl_plain_password from messagehub service credentials object. I'm using kafka-python 1.3.1, which seems supporting SASL authentication mechanism. Any idea of what am I doing wrong? Thanks.

1
pythonapache-kafkaibm-cloudmessage-hub

1 Answers

5
votes

Message Hub requires that clients connect using a TLS 1.2 connection. This means specifying a security_protocol parameter to KafkaProducer and also a ssl.SSLContext via the ssl_context parameter - as it appears that the Python Kafka client creates a SSLv23 context by default.

Here are the changes required to connect:

import ssl
from kafka import KafkaProducer 
from kafka.errors import KafkaError 

kafka_brokers_sasl = [
    "kafka01-prod01.messagehub.services.us-south.bluemix.net:9093",
    "kafka02-prod01.messagehub.services.us-south.bluemix.net:9093",
    "kafka03-prod01.messagehub.services.us-south.bluemix.net:9093",
    "kafka04-prod01.messagehub.services.us-south.bluemix.net:9093",
    "kafka05-prod01.messagehub.services.us-south.bluemix.net:9093" ] 
sasl_plain_username = "xxxxxxxxxxxxxxx" 
sasl_plain_password = "xxxxxxxxxxxxxxxxxxxxxxxxx" 

sasl_mechanism = 'PLAIN'       # <-- changed from 'SASL_PLAINTEXT'
security_protocol = 'SASL_SSL'

# Create a new context using system defaults, disable all but TLS1.2
context = ssl.create_default_context()
context.options &= ssl.OP_NO_TLSv1
context.options &= ssl.OP_NO_TLSv1_1

producer = KafkaProducer(bootstrap_servers = kafka_brokers_sasl,
                         sasl_plain_username = sasl_plain_username,
                         sasl_plain_password = sasl_plain_password,
                         security_protocol = security_protocol,
                         ssl_context = context,
                         sasl_mechanism = sasl_mechanism)