There are some points when test follow http://www.cnblogs.com/dongxiao-yang/p/7131626.html:
When setup kafka broker, you need to more:
1. create configuration file krb5.conf(the ip below is KDC)
[libdefaults]
default_realm = LINKTIME.CLOUD
[realms]
LINKTIME.CLOUD = {
kdc = 192.168.206.119:8800
admin_server = 192.168.206.109:7490
}
2. update PLAINTEXT to SASL_PLAINTEXT in server.properties
listeners=SASL_PLAINTEXT://__CONTAINER_IP__:9092
advertised.listeners=SASL_PLAINTEXT://__KAFKA_VIP_HOST__:9092
usage of command-line for kafka-console-producer/kafka-console-consumer/...
1. create configuration file krb5.conf(the ip below is KDC) at /etc
[libdefaults]
default_realm = LINKTIME.CLOUD
[realms]
LINKTIME.CLOUD = {
kdc = 192.168.206.119:8800
admin_server = 192.168.206.109:7490
}
2. generate keytab file
kadmin.local -q "addprinc -pw 123456 [email protected]"
ktutil \enter
addent -password -p [email protected] -k 1 -e aes256-cts-hmac-sha1-96 \enter
write_kt kafka-client.keytab
3. kinit kafka-client.keytab
kinit [email protected] -l "1000d 0h 0m 0s" -k -t /root/kafka-client.keytab
4. create kafka_client_jaas.conf
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
// If zookeeper open kerberos authentication, the follow need to add here
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/root/kafka-client.keytab"
principal="[email protected]";
};
5. setup JVM parameter of JAAS configuration and krb5
export KAFKA_OPTS='-Djava.security.auth.login.config=/root/kafka_client_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf'
6. create client.properties
security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
sasl.mechanism=GSSAPI
7. command with client.properties
bin/kafka-consumer-groups.sh --bootstrap-server kafkahost1:9092 --list --command-config client.properties
bin/kafka-console-producer.sh --broker-list kafkahost1:9092 --topic dxTT --producer.config client.properties
bin/kafka-console-consumer.sh --bootstrap-server kafkahost1:9092 --topic dxTT --consumer.config client.properties
More references:
http://kafka.apache.org/documentation/#security_jaas_broker
https://docs.confluent.io/3.2.1/kafka/sasl.html#authentication-using-sasl-kerberos
http://www.cnblogs.com/xiaodf/p/5968086.html
http://www.cnblogs.com/dongxiao-yang/p/7131626.html