1 arranged end kafka server (per Broker)
root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config#
vi server.properties
listeners=SASL_PLAINTEXT://172.17.102.126:9092
port=9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
#allow.everyone.if.no.acl.found=false
super.users=User:admin;User:RjkZfqsGCruWzUuMFY
root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config#
vi kafka_server_jaas.conf
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin"
user_admin="admin"
user_RjkZfqsGCruWzUuMFY="8wxOcQo9GM0rwuz3w9";
};
JAAS file as jvm parameters of each broker, and add the following configuration in kafka-server-start.sh script:
root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka1/kafka_2.12-0.10.2.1/bin#
vi kafka-server-start.sh
if [ "x$KAFKA_OPTS" ]; then
export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config/kafka_server_jaas.conf"
fi
vi kafka-run-class.sh (增加红色的部分)
$\color{#FF0000}{
KAFKA_SASL_OPTS='-Djava.security.auth.login.config=/opt/kafka/kafka1/kafka_2.12-0.10.2.1/config/kafka_server_jaas.conf'}
# Launch mode
if [ "x$DAEMON_MODE" = "xtrue" ]; then
nohup $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_SASL_OPTS $KAFKA_JMX_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS "$@" > "$CONSOLE_OUTPUT_FILE" 2>&1 < /dev/null &
else
exec $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_SASL_OPTS $KAFKA_JMX_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS "$@"
fi
Each broker to do the same operation, the same as other IP Port in addition to different file paths.
Under 2 configuration mechanism kafka kafka client end PLAIN producer / consumer how production / consumption
root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka2/kafka_2.12-0.10.2.1/config#
vi kafka_client_jaas.conf
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="RjkZfqsGCruWzUuMFY"
password="8wxOcQo9GM0rwuz3w9";
};
vi consumer.properties
vi producer.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
root@CN-GRI-IDDC-AIRCONDITING:/opt/kafka/kafka2/kafka_2.12-0.10.2.1/bin#
vi kafka-console-consumer.sh
vi kafka-console-producer.sh
if [ "x$KAFKA_OPTS" ]; then
export KAFKA_OPTS=" -Djava.security.auth.login.config=/opt/kafka/kafka2/kafka_2.12-0.10.2.1/config/kafka_client_jaas.conf"
fi
Permissions set
permissions for the user to read and write on RjkZfqsGCruWzUuMFY added sean-security (topic)
sh kafka-acls.sh --authorizer-properties zookeeper.connect=172.17.102.126:2181 --add --allow-principal User:RjkZfqsGCruWzUuMFY --operation Read --operation Write --topic sean-security
Common Operation 3
3.1 add operation
alice add for users to read and write on the test (topic) authority
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --add --allow-principal User:alice --operation Read --operation Write --topic test
For topic message queue for the test, to reject from ip 198.51.100.3 accounts for the read operation BadBob, other users are allowed
bin / kafka-acls.sh --authorizer-properties zookeeper.connect = data-rt-dev02: 2181 / kafka_test10 --add --allow-principal User: * --allow-host * --deny-principal User: BadBob --deny-host 198.51.100.3 --operation Read --topic test
add all of bob and alice, to It allows to ip from 198.51.100.1 198.51.100.0 or write request
bin / kafka-acls.sh --authorizer-properties zookeeper.connect = data-rt-dev02: 2181 / kafka_test10 --add --allow-principal User: bob --allow-principal User: alice --allow -host 198.51.100.0 --allow-host 198.51.100.1 --operation Read --operation Write --topic test
3.2 list operations
Topic lists all the permissions for the test account
bin / kafka-acls.sh --authorizer-properties zookeeper.connect = data-rt-dev02: 2181 / kafka_test10 --list --topic test
3.3 remove operation
移除 acl
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --remove --allow-principal User:Bob --allow-principal User:Alice --allow-host 198.51.100.0 --allow-host 198.51.100.1 --operation Read --operation Write --topic test
3.4 producer and consumer operations
producer
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --add --allow-principal User:alice --producer --topic test
consumer
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=data-rt-dev02:2181/kafka_test10 --add --allow-principal User:alice --consumer --topic test —group test-group