Kafka3.0 SASL安全认证
下面主要介绍Kafka两种认证方式
kafka验证方式:
SASL/PLAIN:不能动态添加用户配置文件写死账号密码
SASL/SCRAM: 可以动态的添加用户
SASL/PLAIN方式
cd /usr/local/kafka/kafka_2.12-3.0.1/bin/
## 复制一份saslcp kafka-server-start.sh kafka-server-start-sasl.sh
在kafka-server-start-sasl.sh 末尾修改配置
exec $base_dir/kafka-run-class.sh $EXTRA_ARGS -Djava.security.auth.login.config=/usr/local/kafka/kafka_2.12-3.0.1/config/kafka-server-jaas.conf kafka.Kafka "$@"
或者在环境变量vim /etc/profile末尾增加如下配置:
if [ "x$KAFKA_OPTS" ]; thenexport KAFKA_OPTS="-Djava.security.auth.login.config=/usr/local/kafka/kafka_2.12-3.0.1/config/kafka-client-jaas.conf"
fi
config目录下增加kafka_server_jaas.conf文件
touch kafka-server-jaas.confKafkaServer {org.apache.kafka.common.security.plain.PlainLoginModule requiredusername="admin"password="admin"user_admin="admin"user_rex="123456"user_alice="123456"user_lucy="123456";
};
进入config目录将server.properties 复制一份改为server-sasl.properties 并添加如下配置:
listeners=SASL_PLAINTEXT://localhost:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
authorizer.class.name=kafka.security.authorizer.AclAuthorizer ## 如果kafka是3.0一下的配置authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer 因为kafka3.0开始已经移除了SimpleAclAuthorizer改用AclAuthorizer 如果还是配置SimpleAclAuthorizer 启动时会报ClassNotFoundException
super.users=User:admin
使用sasl认证启动kafka
./bin/kafka-server-start-sasl.sh -daemon config/server-sasl.properties
SASL/SCRAM方式
创建kafka用户
bin/kafka-configs.sh --zookeeper 127.0.0.1:2181/kafka --alter --add-config 'SCRAM-SHA-256=[password=admin],SCRAM-SHA-512=[password=admin]' --entity-type users --entity-name admin # 系统用户bin/kafka-configs.sh --zookeeper 127.0.0.1:2181/kafka --alter --add-config 'SCRAM-SHA-256=[password=chan_test],SCRAM-SHA-512=[password=chan_test]' --entity-type users --entity-name chan # 测试用户
可以看到在zk上已经创建了对应的用户信息,并且对密码做了加密
在kafka的config目录下创建jaas文件
touch kafka_server_jaas_scram.confvim kafka_server_jaas_scram.confKafkaServer{
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="admin";
}
# 同时启用SCRAM和PLAIN机制
sasl.enabled.mechanisms=SCRAM-SHA-256,PLAIN
# 为broker间通讯开启SCRAM机制,采用SCRAM-SHA-512算法
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
# broker间通讯使用PLAINTEXT
security.inter.broker.protocol=SASL_PLAINTEXT
# 配置listeners使用SASL_PLAINTEXT
listeners=SASL_PLAINTEXT://:9092
# 配置advertised.listeners
advertised.listeners=SASL_PLAINTEXT://127.0.0.1:9092#ACL配置
allow.everyone.if.no.acl.found=false
# 系统用户,多个分号隔开
super.users=User:admin;
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
完整配置
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.# see kafka.server.KafkaConfig for additional details and defaults############################# Server Basics ############################## The id of the broker. This must be set to a unique integer for each broker.
broker.id=0############################# Socket Server Settings ############################## The address the socket server listens on. It will get the value returned from
# java.net.InetAddress.getCanonicalHostName() if not configured.
# FORMAT:
# listeners = listener_name://host_name:port
# EXAMPLE:
# listeners = PLAINTEXT://your.host.name:9092
#listeners=PLAINTEXT://:9092# Hostname and port the broker will advertise to producers and consumers. If not set,
# it uses the value for "listeners" if configured. Otherwise, it will use the value
# returned from java.net.InetAddress.getCanonicalHostName().
#advertised.listeners=PLAINTEXT://your.host.name:9092# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=3# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=8# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600############################# Log Basics ############################## A comma separated list of directories under which to store log files
log.dirs=/usr/local/kafka/data/kafka-logs# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=1# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1############################# Internal Topic Settings #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1############################# Log Flush Policy ############################## Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
# 1. Durability: Unflushed data may be lost if you are not using replication.
# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000############################# Log Retention Policy ############################## The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000############################# Zookeeper ############################## Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
zookeeper.connect=127.0.0.1:2181/kafka# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=18000############################# Group Coordinator Settings ############################## The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
group.initial.rebalance.delay.ms=0# 同时启用SCRAM和PLAIN机制
sasl.enabled.mechanisms=SCRAM-SHA-256,PLAIN
# 为broker间通讯开启SCRAM机制,采用SCRAM-SHA-512算法
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
# broker间通讯使用PLAINTEXT
security.inter.broker.protocol=SASL_PLAINTEXT
# 配置listeners使用SASL_PLAINTEXT
listeners=SASL_PLAINTEXT://:9092
# 配置advertised.listeners
advertised.listeners=SASL_PLAINTEXT://127.0.0.1:9092#ACL配置
allow.everyone.if.no.acl.found=false
# 系统用户,多个分号隔开
super.users=User:admin;
# 如果kafka小于3.x版本的 这边配置需要改成kafka.security.auth.SimpleAclAuthorizer
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
拷贝一份启动脚本重命名为:kafka-server-start-scram.sh 修改kafka启动脚本 注释最后一行并添加如下配置
#exec $base_dir/kafka-run-class.sh $EXTRA_ARGS kafka.Kafka "$@"
exec $base_dir/kafka-run-class.sh $EXTRA_ARGS -Djava.security.auth.login.config=/usr/local/kafka/kafka_2.12-3.0.1/config/kafka_server_jaas_scram.conf kafka.Kafka "$@"
启动kafka
./kafka-server-start-scram.sh -daemon ../config/server-scram.properties
注意:kafka连接的zk地址需要跟创建用户的zk节点一样,否则启动kafka会报认证失败<!--failed authentication due to: Authentication failed during authentication due to invalid credentials with SASL mechanism SCRAM-SHA-256-->
比如:server.properties 配置连接的zk是zookeeper.connect=127.0.0.1:2181/kafka ,这时创建用户的zk地址要bin/kafka-configs.sh --zookeeper 127.0.0.1:2181/kafka才可以 如果zk没有kafka节点 需要自己到zk上新建一个。
启动生产者和消费者
由于broker使用安全认证的方式启动,所以开启生产者和消费者也需要经过客户端认证。
在config目录下新建 producer.conf并添加以下配置
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin";
使用配置启动生产者
[root@hub kafka_2.12-3.0.1]# bin/kafka-console-producer.sh --bootstrap-server 127.0.0.1:9092 --topic test --producer.config config/producer.conf
>1
>2
>3
>
使用chan用户开启生产者
在config目录新建producer-chan.conf并添加以下配置
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="chan" password="chan_test";
使用chan开启生产者,可以看到test这个topic是没有对chan这个用户做认证的,所以chan对这个用户没办法进行生产消息,这时候就需要进行授权。
[root@hub kafka_2.12-3.0.1]# bin/kafka-console-producer.sh --bootstrap-server 192.168.67.142:9092 --topic test --producer.config config/producer-chan.conf
>1
[2022-04-13 20:32:43,651] WARN [Producer clientId=console-producer] Error while fetching metadata with correlation id 4 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2022-04-13 20:32:43,654] ERROR [Producer clientId=console-producer] Topic authorization failed for topics [test] (org.apache.kafka.clients.Metadata)
[2022-04-13 20:32:43,657] ERROR Error when sending message to topic test with key: null, value: 1 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [test]
开启消费者
[root@hub config]# cat consumer.conf
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin";
bin/kafka-console-consumer.sh --bootstrap-server 192.168.67.142:9092 --topic test --group 'test_group' --from-beginning --consumer.config config/consumer.conf
ACL授权
给chan这个用户授权,对test这个topic可以进行写操作
[root@hub kafka_2.12-3.0.1]# bin/kafka-acls.sh --authorizer-properties zookeeper.connect=127.0.0.1:2181/kafka --add --allow-principal User:chan --operation Write --topic 'test'
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test, patternType=LITERAL)`: (principal=User:chan, host=*, operation=WRITE, permissionType=ALLOW) Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=test, patternType=LITERAL)`: (principal=User:chan, host=*, operation=WRITE, permissionType=ALLOW) [root@hub kafka_2.12-3.0.1]# bin/kafka-console-producer.sh --bootstrap-server 192.168.67.142:9092 --topic test --producer.config config/producer-chan.conf
>1
>2
>3
>
可以看到chan这个用户就可以往这个topic写数据了。
Kafka3.0 SASL安全认证相关推荐
- go kafka 配置SASL认证及实现SASL PLAIN认证功能
用户认证功能,是一个成熟组件不可或缺的功能.在0.9版本以前kafka是没有用户认证模块的(或者说只有SSL),好在kafka0.9版本以后逐渐发布了多种用户认证功能,弥补了这一缺陷(这里仅介绍SAS ...
- ACL+SASL的认证配置后的Kafka命令操作(Windows版)
ACL+SASL的认证配置后的Kafka命令操作 Windows环境 背景 版本 操作 配置文件准备 Zookeeper配置文件 Clients配置文件 Kafka Server配置文件 JAAS配置 ...
- Kafka 开启 SASL/PLAINTEXT 认证及 ACL
Linux 安装 Kafka 并开启 SASL/PLAINTEXT 认证 前言 一.环境准备 1.组件版本 2.下载文件 3.上传文件 二.安装 Zookeeper(单节点) 三.安装 Kafka(单 ...
- kafka SASL认证介绍及自定义SASL PLAIN认证功能
文章目录 kafka 2.x用户认证方式小结 SASL/PLAIN实例(配置及客户端) broker配置 客户端配置 自定义SASL/PLAIN认证(二次开发) kafka2新的callback接口介 ...
- Kafka系列(五)、开启SASL安全认证以及配置ACL权限控制
目录 开启SASL 控制台配置用户 ACL授权 Python客户端访问 ACL常用命令 Kafka系列: kafka 2.4.1单机版部署及使用 kafka监控系统kafka eagle安装使用 滴滴 ...
- 谈谈基于OAuth 2.0的第三方认证 [上篇]
对于目前大部分Web应用来说,用户认证基本上都由应用自身来完成.具体来说,Web应用利用自身存储的用户凭证(基本上是用户名/密码)与用户提供的凭证进行比较进而确认其真实身份.但是这种由Web应用全权负 ...
- 再见了kafka2.0时代,去掉了zk的kafka3.0才是时代新王!
项目初期,对于消息队列,你会选择Kafka.ActiveMQ还是RabbitMQ? 对于这个问题,反向来看,估计很少有人会选择Kafka. 而kafka3.0的诞生彻底扭转了战局! 虽然凭借着高吞吐. ...
- php restful 认证,Yii2.0 RESTful API 认证教程
认证介绍 和Web应用不同,RESTful APIs 通常是无状态的, 也就意味着不应使用 sessions 或 cookies, 因此每个请求应附带某种授权凭证,因为用户授权状态可能没通过 sess ...
- SASL - 简单认证和安全层
SASL - 简单认证和安全层 SASL是一种用来扩充C/S模式验证能力的机制认证机制, 全称Simple Authentication and Security Layer. 当你设定sasl时, ...
最新文章
- Android实用应用程序源码
- b树与b+树的区别_一文详解 B-树,B+树,B*树
- 89C51单片机定时器控制的流水灯
- ROJECT SERVER如何与OUTLOOK集成使用
- 3-2:类与对象上篇——类的对象模型和计算类的大小以及this指针问题
- Nacos长连接诉求分析
- Java 联系Oracle 数据库
- 详解智能建筑消防预警系统设计与实现
- AJPFX关于JDK,JRE,JVM的区别与联系
- ubuntu 12.04 安装Docker 实战
- c语言程序设计 ncre,全国计算机二级C语言程序设计题((100%全中必过).doc
- linux嵌入式ARM系统开发实战教程从入门到精通
- 试图速成的RPG Maker MV 学习笔记(二)
- 苹果iphone APP界面设计尺寸
- Entity Framework介绍
- ADPRL - 近似动态规划和强化学习 - Note 1 - Introduction
- 浙江大学 工程伦理 第二章单元测试答案
- 【iOS沉思录】如何招聘一个靠谱的 iOS程序员+面试题详解
- 袁萌:Linux机器人来我家
- 镜头畸变矫正、鱼眼镜头(算法)