SASL身份认证
kafka服务端
config/server.properties配置:
之前使用的是advertised.listeners报错,后改为使用listeners
listeners=SASL_PLAINTEXT://192.168.1.225:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
创建/config/kafka_server_jaas.conf记录用户名及密码
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="kafkaAdmin"
password="admin"
user_kafkaAdmin="admin"
user_producer="prod"
user_consumer="cons";
};
在bin/kafka-server-start.sh中加上kafka_server_jaas.conf配置
if [ "x$KAFKA_OPTS" ]; then
export KAFKA_OPTS="-Djava.security.auth.login.config=/usr/local/kafka_2.13-2.5.0/config/kafka_server_jaas.conf"
fi
启动zookeeper及kafka
./zookeeper-server-start.sh -daemon ../config/zookeeper.properties
./kafka-server-start -daemon ../config/server.properties
kafka客户端(springboot)
application.yml文件配置修改如下
ACL授权
kafka服务端server.properties配置开启ACL
# 开启ACL权限控制
auto.create.topics.enable=false
delete.topic.enable=false
# 设置AclAuthorizer class
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
# 设置admin超级用户,具有所有权限
super.users=User:kafkaAdmin
# 设置为true,ACL机制为黑名单机制,只有黑名单中的用户无法访问
# 默认为false,ACL机制为白名单机制,只有白名单中的用户可以访问
allow.everyone.if.no.acl.found=false
因采用的是白名单,因此给用户添加权限
给consumer用户添加test主题写权限
./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=192.168.1.225:2181 --add --allow-principal User:consumer --operation Write --topic test
给producer用户添加test主题读权限(包括分组)
./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=192.168.1.225:2181 --add --allow-principal User:producer --operation Read --topic test --group test-consumer-group