使用SASL/PLAIN认证
server端
1.配置broker
kafka_server_jaas.conf
内容
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
usernamepassword是broker初始化链接其他broker的使用的;上例admin是内部broker通信使用;
user_[user]=[password]是用户链接到broker合法验证使用的
2.添加JAAS配置到JVM的配置中,文件为kafka-server-start.sh
export KAFKA_OPTS="-Djava.security.auth.login.config=/home/app/projects/kafka/config/common/kafka_server_jaas.conf"
分割下解释
-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf
该参数为添加为用户认证的server端
3.添加SASL端口和SASL认证方式添加到 server.properties
listeners=SASL_PLAINTEXT://host.name:port
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
认证权限配置
server.propert文件
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true //对所有用户topic可见
super.users=User:Bob;User:Alice
client端
在kafka-console-producer.sh中添加
export KAFKA_OPTS="-Djava.security.auth.login.config=/home/app/projects/kafka/config/kafka_client_jaas.conf"
kafka_client_jaas.conf文件添加如下内容
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="alice"
password="alice-secret";
};
添加配置在producer.properties或consumer.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
授权
~/projects/kafka/bin/kafk-acls.sh --authorizer-properties zookeeper.connect=localhost:2181/tkafka --add --allow-principal User:alice --operation Read --operation Write --topic T_acl-1
生产者
./projects/kafka/bin/kafka-console-producer.sh --broker-list 127.0.0.1:9092 --topic t-cal --producer.config ~/projects/kafka/config/producer.properties
消费者