本文详细介绍了如何在Kafka中配置SASL/SCRAM进行身份验证,包括创建SCRAM证书、配置Kafka Brokers、客户端配置以及测试用户权限。通过这个过程,可以确保Kafka集群的安全性和用户访问控制。
使用SASL / SCRAM进行身份验证
请先在不配置任何身份验证的情况下启动Kafka
1. 创建SCRAM Credentials
1.1 创建broker通信用户(或称超级用户) bash Emacs bin/kafka-configs.sh --zookeeper centos1:2181 --alter --add-config 'SCRAM-SHA-256=[password=adminpwd],SCRAM-SHA-512=[password=adminpwd]' --entity-type users --entity-name admin
1.2 创建客户端用户dbcUser bash Emacs bin/kafka-configs.sh --zookeeper centos1:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=changeit],SCRAM-SHA-512=[password=changeit]' --entity-type users --entity-name dbcUser
1.3 查看SCRAM证书 bash Emacs bin/kafka-configs.sh --zookeeper centos1:2181 --describe --entity-type users --entity-name dbcUser
删除SCRAM证书 (只是说明功能,这里不执行) bash Emacs bin/kafka-configs.sh --zookeeper centos1:2181 --alter --delete-config 'SCRAM-SHA-512' --entity-type users --entity-name dbcUser
2. 配置Kafka Brokers
2.1 在每个Kafka broker的config目录中添加一个kafka_server_jaas.conf,内容如下 bash Emacs KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="adminpwd"; };
注意:不要少写了分号
2.2 将JAAS配置文件位置作为JVM参数传递给每个Kafka broker
修改 kafka/bin/kafka-server-start.sh
将exec $base_dir/kafka-run-class.sh $EXTRA_ARGS kafka.Kafka "$@" 注释, 增加下面的内容 bash Emacs #exec $base_dir/kafka-run-class.sh $EXTRA_ARGS kafka.Kafka "$@" exec $base_dir/kafka-run-class.sh $EXTRA_ARGS -Djava.security.auth.login.config=$base_dir/../config/kafka_server_jaas.conf kafka.Kafka "$@"
或者不修改kafka-server-start.sh脚本, 而是将下面的内容添加到~/.bashrc bash Emacs export KAFKA_PLAIN_PARAMS="-Djava.security.auth.login.config=/usr/local/kafka/config/kafka_server_jaas.conf" export KAFKA_OPTS="$KAFKA_PLAIN_PARAMS $KAFKA_OPTS"
2.3 在server.properties中配置SASL端口和SASL机制。 bash Emacs # 认证配置 listeners=SASL_PLAINTEXT://centos1:9092 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 sasl.enabled.mechanisms=SCRAM-SHA-256 # ACL配置 allow.everyone.if.no.acl.found=false super.users=User:admin authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
2.4 重启ZK/Kafka
重启ZK / Kafka服务. 所有broker在连接之前都会引用’kafka_server_jaas.conf’. bash Emacs #重启所有zookeeper bin/zookeeper-server-stop.sh bin/zookeeper-server-start.sh -daemon config/zookeeper.properties #重启说有broker bin/kafka-server-stop.sh bin/kafka-server-start.sh -daemon config/server.properties
3. 客户端配置
先使用kafka-console-producer 和 kafka-console-consumer 测试一下
kafka-console-producer
1. 创建 config/client-sasl.properties 文件 bash Emacs security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-256
2. 创建 config/kafka_client_jaas_admin.conf 文件 bash Emacs KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="adminpwd"; };
3. 修改kafka-console-producer.sh脚本
这里我们复制一份新文件来改 bash Emacs cp bin/kafka-console-producer.sh bin/kafka-console-producer-admin.sh vi bin/kafka-console-producer-admin.sh #exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsoleProducer "$@" exec $(dirname $0)/kafka-run-class.sh -Djava.security.auth.login.config=$(dirname $0)/../config/kafka_client_jaas_admin.conf kafka.tools.ConsoleProducer "$@"
4. 创建测试topic(之前以及创建则不用创建) bash Emacs bin/kafka-topics.sh --create --zookeeper localhost:2181 --partitions 1 --replication-factor 1 --topic test
5. 测试生产消息 bash Emacs bin/kafka-console-producer-admin.sh --broker-list centos1:9092 --topic test --producer.config config/client-sasl.properties [wanghy@centos1 kafka]$ bin/kafka-console-producer-admin.sh --broker-list centos1:9092 --topic test --producer.config config/client-sasl.properties >hello, I am admin >
可以看到admin用户无需配置ACL就可以发送消息
6. 测试 dbcUser 用户
创建一个bin/kafka-console-producer-dbc.sh文件 bash Emacs cp bin/kafka-console-producer-admin.sh bin/kafka-console-producer-dbc.sh exec $(dirname $0)/kafka-run-class.sh -Djava.security.auth.login.config=$(dirname $0)/../config/kafka_client_jaas_dbc.conf kafka.tools.ConsoleProducer "$@"
创建kafka_client_jaas_dbc.conf文件 bash Emacs cp config/kafka_client_jaas_admin.conf config/kafka_client_jaas_dbc.conf KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="dbcUser" password="changeit"; };
生产消息 bash Emacs [wanghy@centos1 kafka]$ bin/kafka-console-producer-dbc.sh --broker-list centos1:9092 --topic stest --producer.config config/client-sasl.properties >hello, I am dbcUser [2019-03-15 09:47:28,483] WARN [Producer clientId=console-producer] Error while fetching metadata with correlation id 1 : {stest=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2019-03-15 09:47:28,486] ERROR Error when sending message to topic stest with key: null, value: 19 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback) org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [stest] >
报错了,提示没有访问权限
kafka-console-consumer
1. 创建 config/consumer-dbc.properties 文件 bash Emacs security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-256 group.id=dbc-group
2. 创建 bin/kafka-console-consumer-dbc.sh 文件 bash Emacs cp bin/kafka-console-consumer.sh bin/kafka-console-consumer-dbc.sh vi bin/kafka-console-consumer-dbc.sh
修改内容如下 bash Emacs #exec $(dirname $0)/kafka-run-class.sh kafka.tools.ConsoleConsumer "$@" exec $(dirname $0)/kafka-run-class.sh -Djava.security.auth.login.config=$(dirname $0)/../config/kafka_client_jaas_dbc.conf kafka.tools.ConsoleConsumer "$@"
3. 测试消费者 bash Emacs bin/kafka-console-consumer-dbc.sh --bootstrap-server centos1:9092 --topic test --consumer.config config/consumer-dbc.properties --from-beginning [2019-03-15 10:03:27,794] WARN [Consumer clientId=consumer-1, groupId=dbc-group] Error while fetching metadata with correlation id 2 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient) [2019-03-15 10:03:27,796] ERROR Error processing message, terminating consumer process: (kafka.tools.ConsoleConsumer$) org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [test] Processed a total of 0 messages
没有权限
1554
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
