After version 0.9, kafka adds authentication and access control two security mechanisms.
Authentication: refers to the client and the server authenticates the connection; including between the agent and proxy between the client and kafka proxy connection authentication between the proxy and zookeeper,,; currently supports SSL, SASL / Kerberos, SASL / PLAIN This three kinds of authentication mechanisms;
Access control: refers to perform read and write operations access control client.
1, the use SASL / PLAIN identity authentication:
1) modify server.properties file, open SASL authentication configuration:
= SASL_PLAINTEXT in the Listeners: // 0.0.0.0:9092 # Configure a SASL port security.inter.broker.protocol = between SASL_PLAINTEXT # set the proxy communication protocol sasl.enable.mechanisms = PLAIN # Enable SASL mechanism sasl.mechanism.inter.broker .protocol = # configure SASL PLAIN mechanism
2) Create a JAAS file server, configure PLAIN:
Create a file called kafka_server_jaas.conf in the config directory, then the contents of the file:
KafkaServer { org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka" password="kafkapswd" user_kafka="kafkapswd" user_morton="mortonpswd" }
username and password specify a username and password for the proxy cluster with other agents that initiates the connection;
Create a connection proxy username and password to access the user name "user_" prefixed after the way.
3) Create and configure the client JAAS file:
Create a file called kafka_client_jaas.conf in the config directory, then the contents of the file:
KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="morton" password="mortonpswd" }
4) The JAAS configuration file to the appropriate configuration file:
Kafka-server-start.sh modify the script, the introduction of server-side JAAS file in the script:
if [ "x$KAFKA_OPTS" = "x" ]; then
export KAFKA_OPTS="-DJava.security.auth.login.config=../config/kafka_server_jaas.config"
fi
Kafak-console-producer.sh kafka-console-consumer.sh modifications and toluene, is introduced in the client script file JAAS
if [ "x$KAFKA_OPTS" = "x" ]; then
export KAFKA_OPTS="-DJava.security.auth.login.config=../config/kafka_client_jaas.config"
fi
5) start the server, producers and consumers:
kafka-server-start.sh --deamon ../config/server.properties
kafka-console-producer.sh --broker-list localhost:9092 --topic kafka-action --producer-property security.protocol=SASL_PLAINTEXT --producer-property sasl.mechanism=PLAIN
kafka-console-consumer.sh --bootstrap-server localhost:9092 topic kafka-action --consumer.property security.protocol=SASL_PLAINTEXT --consumer.property sasl.mechanism=PLAIN
2, access control
kafka provides kafka-acls.sh scripting support queries (list), add (add), remove (remove) the operation of these three types of access control;
To enable kafka ACL access control, first of all you need to increase the access control settings to achieve class in server.properties file:
authorizer.class.name=kafka.security.auth.SimpleAuthorizer
When Kafka ACL access control is enabled, the default condition except for super user, all users have no rights;
Setting a supervisor in server.properties file format: super.users = User: user1; User: user2
Open permissions to all users in server.properties configuration file format: allow.everyone.if.no.acl.found = true
Since the client need to be connected to the start kafka, it is necessary if Java.security.auth.login.config environment variable settings, or even been authorized, the client still can not connect kafka. Because the client will execute the script calls kafka-run-class.sh script, thus adding Java.security.suth.login.config environment variables in this script:
# Launch mode KAFKA_SASL_OPTS='-DJava.security.suth.login.config=../config/kafka_server_jaas.conf' if [ "x$DAEMON_MODE" = "xtrue" ]; then nohup $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_JMX_OPTS $KAFKA_SASL_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS "$@" > "$CONSOLE_OUTPUT_FILE" 2>&1 < /dev/null & else exec $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_JMX_OPTS $KAFKA_SASL_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS "$@" fi
Query permissions list:
You can view a topic by kafka-acls.sh script (--topic), a consumer group (--group), cluster (--cluster) The current list of permissions;
kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --cluster
Authorization for producers:
kafka-acls.sh --add --authorizer-properties zookeeper.connect=localhost:2181 --allow-principal User:morton --producer --topic=*
Parameters --allow-principal is assigned to a user authorization (support regular);
--Deny-principal parameter specifies the user does not have some rights (support for regular);
--Producer parameter specifies the user producer role authorization, the equivalent of giving and Write permissions through --operation Describe parameters for;
Parameters --topic parameter specifies which topics have given permission (to support regular);
Parameter --allow-host and the specified parameters --deny-host producers allow and disallow access to the IP;
Authorization for consumers:
kafka-acls.sh -add --authorizer-properties zookeeper.connect=localhost:2181 --allow-principal User:morton --consumer --topic=* --group acls-group
--Group parameter specifies the consumer group to which the consumer belongs;
Delete permissions:
Delete the appropriate permissions information remove parameters, you can delete a user of the subject matter (--topic), cluster (cluster), the consumer group (--group) operating authority;
You can specify parameters --operation delete specific permissions;
--Force parameter can be forced to delete;
kafka-acls.sh --authorizer-properties zookeeper-connect=localhost:2181 --remove --topic acls-foo --force