• kafka 配置认证与授权


    本例不使用kerberos做认证,使用用户名和密码的方式来进行认证

    1、服务端配置

    1.0 配置server.properties 添加如下配置

    #配置 ACL 入口类
    authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer 
    #本例使用 SASL PLAINTEXT 
    listeners=SASL_PLAINTEXT://hadoop4:9092 
    security.inter.broker.protocol= SASL_PLAINTEXT 
    sasl.mechanism.inter.broker.protocol=PLAIN 
    sasl.enabled.mechanisms=PLAIN 
    #设置本例中 admin 为超级用户
    super.users=User:admin
    
    

    1.1 创建服务端的jaas.conf文件,文件信息如下:

    [hduser@hadoop4 config]$ cat jaas.conf 
    KafkaServer { 
    org.apache.kafka.common.security.plain.PlainLoginModule required 
    username="admin"
    password="admin"
    user_admin="admin"
    user_reader="reader"
    user_writer="writer";
    };
    

    1.2 修改启动脚本kafka-server-start.sh,

    exec $base_dir/kafka-run-class.sh $EXTRA_ARGS -Djava.security.auth.login.config=/data1/hadoop/kafka/config/jaas.conf  kafka.Kafka "$@"
    

    其中:-Djava.security.auth.login.config=/data1/hadoop/kafka/config/jaas.conf 是新加的

    2、生产者配置

    2.1 生成jaas文件

    [hduser@hadoop4 config]$ cat writer_jaas.conf 
    KafkaClient { 
    org.apache.kafka.common.security.plain.PlainLoginModule required 
    username = "writer"
    password="writer";
    };
    

    2.2 配置生产者启动脚本

    exec $(dirname $0)/kafka-run-class.sh -Djava.security.auth.login.config=/data1/hadoop/kafka/config/writer_jaas.conf  kafka.tools.ConsoleProducer "$@"
    

    2.3 配置启动脚本

    kafka-console-producer.sh --bootstrap-server 192.168.43.15:9092  --topic test2  --producer-property security.protocol=SASL_PLAINTEXT  --producer-property sasl.mechanism=PLAIN
    

    可以发现,需要添加协议参数:

    security.protocol: 表示开启安全协议,使用SASL,
    sasl.mechanism: 协议机制,如果是使用Kerberos,那么就配置kerberos
    

    如果继续执行上述的命令,可以发现还是失败,失败的原因是对于topic test2来说,没有授权。

    2.4 授权
    在设置具体的 ACL 规则之前,首先简单学习一下 Kafka ACL 的格式。根据官网 的介绍,
    Kafka 一条 ACL 的格式为 "Principal P is [Allowed/Denied] Operation O From Host H On
    Resource R",含义描述如下:

    principal :表示 Kafka user
    operation :表示 个具体的操作类型,如 WRITE、READ 、DESCRIBE 。完整的操
    作列表详见 http://docs.confluent.io/current/kafka/authorization.html#overview
    Host 表示连 Kafka 集群的 client IP 地址,如果是“*”则表示所有四。注意 ,当
    Kafka 不支持主机名,只能指定 IP 地址。
    Resource :表示一种 Kafka 资源类型 。当前共有 种类型 TOPIC CLUSTER GROUP
    和 TRANSACTIONID

    kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:writer --operation Write --topic test2
    

    3、消费者

    3.1 配置jaas文件

    KafkaClient {
        org.apache.kafka.common.security.plain.PlainLoginModule required    
        username="reader"
        password="reader";
    };
    
    

    3.2 消费者启动脚本配置

    exec $(dirname $0)/kafka-run-class.sh  -Djava.security.auth.login.config=/data1/hadoop/kafka/config/reader_jaas.conf kafka.tools.ConsoleConsumer "$@"
    

    3.3 创建消费者配置文件

    [hduser@hadoop4 ~]$ cat consumer.config 
    security.protocol=SASL_PLAINTEXT
    sasl.mechanism=PLAIN
    group.id=test-group
    

    3.4 消费数据

    • 如果不指定consumer.config,将会出现下面的异常
    [hduser@hadoop4 ~]$ kafka-console-consumer.sh  --bootstrap-server 192.168.43.15:9092  --from-beginning --topic test2
    [2021-05-08 09:44:35,771] WARN [Consumer clientId=consumer-console-consumer-85632-1, groupId=console-consumer-85632] Bootstrap broker 192.168.43.15:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient)
    [2021-05-08 09:44:36,187] WARN [Consumer clientId=consumer-console-consumer-85632-1, groupId=console-consumer-85632] Bootstrap broker 192.168.43.15:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient)
    [2021-05-08 09:44:36,599] WARN [Consumer clientId=consumer-console-consumer-85632-1, groupId=console-consumer-85632] Bootstrap broker 192.168.43.15:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient)
    [2021-05-08 09:44:37,006] WARN [Consumer clientId=consumer-console-consumer-85632-1, groupId=console-consumer-85632] Bootstrap broker 192.168.43.15:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient)
    
    • 接着指定consumer.config
    [hduser@hadoop4 ~]$ kafka-console-consumer.sh  --bootstrap-server 192.168.43.15:9092  --from-beginning --topic test2 --consumer.config consumer.config 
    [2021-05-08 09:46:10,044] WARN [Consumer clientId=consumer-test-group-1, groupId=test-group] Error while fetching metadata with correlation id 2 : {test2=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
    [2021-05-08 09:46:10,045] ERROR [Consumer clientId=consumer-test-group-1, groupId=test-group] Topic authorization failed for topics [test2] (org.apache.kafka.clients.Metadata)
    [2021-05-08 09:46:10,047] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
    org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [test2]
    

    可以发现跟生产者是一样的,没有权限访问topic test2

    3.5 授权

    [hduser@hadoop4 ~]$ kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:reader --operation Read --topic test2
    Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test2, patternType=LITERAL)`: 
     	(principal=User:reader, host=*, operation=READ, permissionType=ALLOW) 
    
    Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test2, patternType=LITERAL)`: 
     	(principal=User:writer, host=*, operation=WRITE, permissionType=ALLOW)
    	(principal=User:reader, host=*, operation=READ, permissionType=ALLOW)
    

    3.6 重新消费
    接着消费还是会发现没有对组test-group的操作权限

    [hduser@hadoop4 ~]$ kafka-console-consumer.sh  --bootstrap-server 192.168.43.15:9092  --from-beginning --topic test2 --consumer.config consumer.config 
    [2021-05-08 09:48:07,842] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
    org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: test-group
    Processed a total of 0 messages
    

    赋予权限

    [hduser@hadoop4 ~]$ kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:reader --operation Read --group test-group
    Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name=test-group, patternType=LITERAL)`: 
     	(principal=User:reader, host=*, operation=READ, permissionType=ALLOW) 
    
    Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=test-group, patternType=LITERAL)`: 
     	(principal=User:reader, host=*, operation=READ, permissionType=ALLOW)
    

    生产者发送

    [hduser@hadoop4 ~]$ kafka-console-producer.sh --bootstrap-server 192.168.43.15:9092  --topic test2  --producer-property security.protocol=SASL_PLAINTEXT  --producer-property sasl.mechanism=PLAIN
    >hahaha
    >wanm^H^H
    >完美
    >
    

    消费者消费

    [hduser@hadoop4 ~]$ kafka-console-consumer.sh  --bootstrap-server 192.168.43.15:9092  --from-beginning --topic test2 --consumer.config consumer.config 
    hahaha
    wanm
    完美
    

    4、管理员

    使用admin用户查看用户的组信息
    4.1 配置jaas.conf文件

    KafkaClient {
        org.apache.kafka.common.security.plain.PlainLoginModule required 
        username="admin"
        password="admin";
    };
    

    4.2 配置脚本kafka-consumer-groups.sh

    exec $(dirname $0)/kafka-run-class.sh -Djava.security.auth.login.config=/data1/hadoop/kafka/config/admin_jaas.conf kafka.admin.ConsumerGroupCommand "$@"
    

    4.3 配置安全协议属性

    [hduser@hadoop4 ~]$ cat admin_sasl.config 
    security.protocol=SASL_PLAINTEXT
    sasl.mechanism=PLAIN
    

    4.4 查看组信息

    [hduser@hadoop4 ~]$ kafka-consumer-groups.sh --group test-group --describe --command-config admin_sasl.config --bootstrap-server 192.168.43.15:9092
    
    Consumer group 'test-group' has no active members.
    
    GROUP           TOPIC           PARTITION  CURRENT-OFFSET  LOG-END-OFFSET  LAG             CONSUMER-ID     HOST            CLIENT-ID
    test-group      test2           0          3               3               0               -               -               -
    test-group      test            1          1001515         1001516         1               -               -               -
    test-group      test            0          992785          992786          1               -               -               -
    test-group      test            3          1000894         1000894         0               -               -               -
    test-group      test            2          1000772         1000773         1               -               -               -
    test-group      test            4          1004034         1004034         0               -               -               -
    

    一般生产环境还是得使用Kerberos配合ranger+ldap。

    借鉴kafka实战

    记录学习和生活的酸甜苦辣.....哈哈哈
  • 相关阅读:
    逻辑思维题:称金币
    Windows7中Emacs 24 shell使用Gitbash
    Android中Touch事件分析--解决HorizontalScrollView滑动和按钮事件触发问题
    hdu 3732 Ahui Writes Word
    lucene基本原理
    elasticsearch分析系列
    主流的自动化运维工具
    IDEA在当前类中查找方法快捷键--转
    迷你MVVM框架 avalonjs 0.81发布
    最火的前端开源项目
  • 原文地址:https://www.cnblogs.com/yjt1993/p/14739130.html
Copyright © 2020-2023  润新知