kafka use SASL / PLAIN certification

Others 2020-03-22 23:01:08 views: null

1 arranged end kafka server (per Broker)

root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config#
vi server.properties
 
listeners=SASL_PLAINTEXT://172.17.102.126:9092
 
port=9092
 
security.inter.broker.protocol=SASL_PLAINTEXT
 
sasl.mechanism.inter.broker.protocol=PLAIN
 
sasl.enabled.mechanisms=PLAIN
 
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
 
#allow.everyone.if.no.acl.found=false
 
super.users=User:admin;User:RjkZfqsGCruWzUuMFY

root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config#
vi kafka_server_jaas.conf
KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin"
    user_admin="admin"
    user_RjkZfqsGCruWzUuMFY="8wxOcQo9GM0rwuz3w9";
};

JAAS file as jvm parameters of each broker, and add the following configuration in kafka-server-start.sh script:

root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka1/kafka_2.12-0.10.2.1/bin#
vi kafka-server-start.sh
if [  "x$KAFKA_OPTS" ]; then
 export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config/kafka_server_jaas.conf"
fi
 
vi kafka-run-class.sh (增加红色的部分)
$\color{#FF0000}{
KAFKA_SASL_OPTS='-Djava.security.auth.login.config=/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config/kafka_server_jaas.conf'}
# Launch mode
if [ "x$DAEMON_MODE" = "xtrue" ]; then
  nohup $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_SASL_OPTS $KAFKA_JMX_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS "$@" > "$CONSOLE_OUTPUT_FILE" 2>&1 < /dev/null &
else
  exec $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_SASL_OPTS $KAFKA_JMX_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS "$@"
fi

Each broker to do the same operation, the same as other IP Port in addition to different file paths.

Under 2 configuration mechanism kafka kafka client end PLAIN producer / consumer how production / consumption

root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka2/kafka_2.12-0.10.2.1/config#
vi kafka_client_jaas.conf
KafkaClient {
       org.apache.kafka.common.security.plain.PlainLoginModule required
       username="RjkZfqsGCruWzUuMFY"
       password="8wxOcQo9GM0rwuz3w9";
};

vi consumer.properties
vi producer.properties

security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN

root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka2/kafka_2.12-0.10.2.1/bin#
vi kafka-console-consumer.sh
vi kafka-console-producer.sh

if [ "x$KAFKA_OPTS" ]; then
export KAFKA_OPTS=" -Djava.security.auth.login.config=/opt/kafka/kafka2/kafka_2.12-0.10.2.1/config/kafka_client_jaas.conf"

fi

Permissions set
permissions for the user to read and write on RjkZfqsGCruWzUuMFY added sean-security (topic)

sh kafka-acls.sh --authorizer-properties zookeeper.connect=172.17.102.126:2181 --add --allow-principal User:RjkZfqsGCruWzUuMFY --operation Read --operation Write --topic sean-security

Common Operation 3

3.1 add operation

alice add for users to read and write on the test (topic) authority

bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --add --allow-principal User:alice --operation Read --operation Write --topic test

For topic message queue for the test, to reject from ip 198.51.100.3 accounts for the read operation BadBob, other users are allowed
bin / kafka-acls.sh --authorizer-properties zookeeper.connect = data-rt-dev02: 2181 / kafka_test10 --add --allow-principal User: * --allow-host * --deny-principal User: BadBob --deny-host 198.51.100.3 --operation Read --topic test
add all of bob and alice, to It allows to ip from 198.51.100.1 198.51.100.0 or write request
bin / kafka-acls.sh --authorizer-properties zookeeper.connect = data-rt-dev02: 2181 / kafka_test10 --add --allow-principal User: bob --allow-principal User: alice --allow -host 198.51.100.0 --allow-host 198.51.100.1 --operation Read --operation Write --topic test

3.2 list operations

Topic lists all the permissions for the test account
bin / kafka-acls.sh --authorizer-properties zookeeper.connect = data-rt-dev02: 2181 / kafka_test10 --list --topic test

3.3 remove operation

移除 acl
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --remove --allow-principal User:Bob --allow-principal User:Alice --allow-host 198.51.100.0 --allow-host 198.51.100.1 --operation Read --operation Write --topic test

3.4 producer and consumer operations

producer
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --add --allow-principal User:alice --producer --topic test
consumer
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --add --allow-principal User:alice --consumer --topic test —group test-group

Guess you like

Origin www.cnblogs.com/eugene0/p/12549068.html
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com