Kafka SCRAM and combat PLAIN

Others 2019-08-24 17:49:20 views: null

1 Overview

Currently Kafka ACL support for multiple certification authority, today I tell you about the SCRAM PLAIN and certification authority. Verification environment as follows:

  • JDK:1.8
  • Kafka:2.3.0
  • Kafka Eagle:1.3.8

2. Content

2.1 PLAIN certification

First, $ KAFAK_HOME / config directory create a text file named kafka_server_plain_jaas.conf, configured as follows:

KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required
   username="admin"
   password="admin-secret"
   user_admin="admin-secret"
   user_ke="ke";
};

Next, the script file kafka-server-start.sh rename kafka-server-plain-start.sh, and modify the contents of the last line is:

# Add authentication file 
Exec $ base_dir / Kafka used to live-RUN-class. SH $ -Djava.security.auth the extra_args. The Login .config = $ base_dir /../ config / kafka_server_plain_jaas.conf kafka.Kafka " $ @ "

Then, copy and rename files server.properties plain.properties, then modify the service profile side plain.properties, as follows:

# Protocol
listeners=SASL_PLAINTEXT://127.0.0.1:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN

# ACL
allow.everyone.if.no.acl.found=false
super.users=User:admin
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

Finally, create a client user authentication file, kafka_client_plain_jaas.conf reads as follows:

KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="ke"
  password="ke";
};

2.2 Starting PLAIN certification cluster

2.2.1 Start Zookeeper

# Zookeeper configuration is relatively simple, there is not much to do introduction 
zkServer. SH Start

2.2.2 Start Kafka cluster

# Kafka installation into bin directory 
. / Kafka-Server-Start-Plain. SH ../config/plain.properties &

2.2.3 Creating Topic

./kafka-topics.sh --create --zookeeper 127.0.0.1:2181/plain --replication-factor 1 --partitions 3 --topic test_plain

2.2.4 add read and write permissions

# Add read permissions 
. / Kafka used to live-acls. SH --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-the Properties zookeeper.connect = 127.0 . 0.1 : 2181 / Plain --add --allow the User-Principal: KE - the Read Operation - Topic test_plain 
# add write permissions 
. / Kafka used to live-acls. SH --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-the Properties zookeeper.connect = 127.0 . 0.1 : 2181 / Plain --add --allow- the User Principal: KE --operation the Write - Topic test_plain 
# added consumer group permission 
. / Kafka used to live-acls. SH --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=127.0.0.1:2181/plain --add --allow-principal User:ke --operation Read --group g_plain_test
# 查看权限列表
./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=127.0.0.1:2181/plain --list

2.2.5 the results

Certification 2.3 SCRAM

PLAIN authentication There is a problem, it is not a dynamic new user, after every time you add a user, you need to restart Kafka cluster running to take effect. To this end, in a production environment, this authentication method is not realistic business scenarios. The SCRAM is not the same, the use of SCRAM authentication, users can dynamically add, after adding the user can not restart Kafka running cluster can be authenticated.

New kafka_server_scram_jaas.conf, configured as follows:

KafkaServer {
  org.apache.kafka.common.security.scram.ScramLoginModule required
  username="admin"
  password="admin-secret";
};

Next, the script file kafka-server-start.sh rename kafka-server-scram-start.sh, and modify the contents of the last line is:

# Add authentication file 
exec $ base_dir / kafka-run-class.sh $ EXTRA_ARGS -Djava.security.auth.login.config = $ base_dir /../ config / kafka_server_scram_jaas.conf kafka.Kafka "$ @"

Then $ KAFKA_HOME / config directory, copy and rename files server.properties scram.properties, then modify the server configuration file scram.properties, reads as follows:

# Protocol
listeners=SASL_PLAINTEXT://dn1:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
sasl.enabled.mechanisms=SCRAM-SHA-256

# ACL
allow.everyone.if.no.acl.found=false
super.users=User:admin
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

2.3.1 Start Zookeeper

# Zookeeper configuration is relatively simple, there is not much to do introduction 
zkServer. SH Start

2.3.2 Add administrator and ordinary users

# 添加管理员
./kafka-configs.sh --zookeeper 127.0.0.1:2181/scram --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name admin
# 添加普通用户(ke)
./kafka-configs.sh --zookeeper 127.0.0.1:2181/scram --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=ke],SCRAM-SHA-512=[password=ke]' --entity-type users --entity-name ke

2.3.3 Start SCRAM certification cluster

./kafka-server-scram-start.sh ../config/scram.properties &

2.3.4 Creating Topic

./kafka-topics.sh --create --zookeeper 127.0.0.1:2181/scram --replication-factor 1 --partitions 3 --topic test_scram

2.3.5 Adding permissions

# Add read permissions 
./kafka-acls. SH --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-the Properties zookeeper.connect = 127.0 . 0.1 : 2181 / SCRAM --add --allow the User-Principal: KE - the Read Operation - Topic test_scram 
# add write permissions 
. / Kafka used to live-acls. SH --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-the Properties zookeeper.connect = 127.0 . 0.1 : 2181 / SCRAM --add --allow- the User Principal: KE --operation the Write - Topic test_scram 
# added consumer group permission 
. / Kafka used to live-acls. SH --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=127.0.0.1:2181/scram --add --allow-principal User:ke --operation Read --group g_scram_test
# 查看权限列表
./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=127.0.0.1:2181/scram --list

2.3.6 the results

3.Kafka permission levels

Kafka permission level comprises Topic, Group, Cluster, TransactionalId, right contents each dimension relates to the following:

Resource Operations
Topic Read,Write,Describe,Delete,DescribeConfigs,AlterConfigs,All
Group Read,Describe,All
Cluster Create,ClusterAction,DescribeConfigs,AlterConfigs,IdempotentWrite,Alter,Describe,All
TransactionalId Describe,Write,All

For example, statistics Capacity size Topic, if an exception is thrown "Cluster authorization failed", it is because there is no permission to open Describe Cluster level, execute the following command:

./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=127.0.0.1:2181/scram --add --allow-principal User:ke --operation Describe --cluster

4.Kafka Eagle Integrated SCRAM certification

So how to use Kafka Eagle SCRAM certified Kafka integrated cluster, to monitor it? Access http://www.kafka-eagle.org/ , download the package, unpack and configure the following:

# To be here to start a SCRAM has certified Kafka cluster (alias cluster1) configuration 
cluster1.kafka.eagle.sasl.enable = to true 
cluster1.kafka.eagle.sasl.protocol = SASL_PLAINTEXT 
cluster1.kafka.eagle.sasl.mechanism = -SHA-SCRAM 256 
cluster1.kafka.eagle.sasl.jaas.config = org.apache.kafka.common.security.scram.ScramLoginModule required username = " KE " password = " KE " ; 
# ClientId here if you do not, you can no configuration 
cluster1.kafka.eagle.sasl.client. the above mentioned id =

Then, ke.sh start to boot Kafka Eagle monitoring system.

4.1 Topic Preview

4.2 KSQL Query Topic

Execute the following SQL statement, as follows:

select * from "test_scram" where "partition" in (0) limit 1

Execution results are as follows:

5. Summary

Production environment, the user may vary with business needs, add or delete, it is necessary at this time when the dynamic control of the user. Moreover, the production environment Kafka cluster can not casually restart, so the use of SCRAM authentication ideally suited to Kafka.

6. Conclusion

This blog will share here, if you have any questions in the process of research study, you can add the group to discuss or send mail to me, I will do my best to answer your questions, and the king of mutual encouragement!

In addition, a blogger book " Kafka used to live not difficult to learn " and " Hadoop big data mining from entry to advanced combat ", like a friend or a classmate, you can click the link to buy the book to buy bloggers learn the bulletin board there, thank you for your support. The following public concern number, follow the prompts, you can get free video teaching books.

Guess you like

Origin www.cnblogs.com/smartloli/p/11404610.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com