Kafka集群的安全认证机构 SASL_SCRAM
生活随笔
收集整理的這篇文章主要介紹了
Kafka集群的安全认证机构 SASL_SCRAM
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
Kafka集群的安全認證機構 SASL_SCRAM
Kafka集群的安全認證機構
Kafka加密認證機制中的SASL主要包括SASL_PLAINTEXT、SASL_GSSAPI、SASL_SCRAM,這里主要記錄Kafka配置SASL_SCRAM認證環境
#config/server-sasl.properties文件修改#node01 #安全認證監控服務 zookeeper.connect=node01:2181,node02:2181 listeners = SASL_PLAINTEXT://node01:9092 advertised.listeners=SASL_PLAINTEXT://node01:9092 security.inter.broker.protocol=SASL_PLAINTEXT sasl.enabled.mechanisms=SCRAM-SHA-512 sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512 authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer #對所有用戶topic可見 allow.everyone.if.no.acl.found=true #設置超級用戶 super.users=User:admin #listener.name.sasl_plaintext.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ # username="admin" \ # password="admin";#node02 #安全認證監控服務 zookeeper.connect=node01:2181,node02:2181 listeners = SASL_PLAINTEXT://node02:9092 advertised.listeners=SASL_PLAINTEXT://node02:9092 security.inter.broker.protocol=SASL_PLAINTEXT sasl.enabled.mechanisms=SCRAM-SHA-512 sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512 authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer #對所有用戶topic可見 allow.everyone.if.no.acl.found=true #設置超級用戶 super.users=User:admin #listener.name.sasl_plaintext.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ # username="admin" \ # password="admin"; #node01和node02下創建kafka_server_jaas.conf文件 KafkaServer {org.apache.kafka.common.security.scram.ScramLoginModule requiredusername="admin"password="admin"; };Client { org.apache.kafka.common.security.plain.PlainLoginModule requiredusername="kafka"password="kafka"; }; #node01和node02下創建bin/kafka-server-start.sh export KAFKA_HEAP_OPTS="-Xmx2G -Xms2G -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf" ##node01和node02下創建config/admin.conf #security.protocol=SASL_PLAINTEXT #sasl.mechanism=SCRAM-SHA-512 #sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin"; ##node01和node02下創建config/testuc.conf ##認證配置文件 #security.protocol=SASL_PLAINTEXT #sasl.mechanism=SCRAM-SHA-512 #sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="testuc" password="123456"; ##node01和node02下創建config/testup.conf ##認證配置文件 #security.protocol=SASL_PLAINTEXT #sasl.mechanism=SCRAM-SHA-512 #sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="testup" password="123456"; #查看所有topic bin/kafka-topics.sh --list --bootstrap-server node01:9092 --command-config config/admin.conf#創建topic bin/kafka-topics.sh --create --bootstrap-server node01:9092 --replication-factor 1 --partitions 1 --topic testtopic --command-config config/admin.conf#新增用戶,新建用戶testu bin/kafka-configs.sh --zookeeper node01:2181 --alter --add-config 'SCRAM-SHA-512=[password=123456]' --entity-type users --entity-name testup#更新用戶,更新testu的密碼為mytest bin/kafka-configs.sh --zookeeper node01:2181 --alter --add-config 'SCRAM-SHA-512=[password=123123]' --entity-type users --entity-name testu#查看憑證 bin/kafka-configs.sh --zookeeper node01:2181 --describe --entity-type users --entity-name testu#刪除憑證 bin/kafka-configs.sh --zookeeper node01:2181 --alter --delete-config 'SCRAM-SHA-512' --entity-type users --entity-name testu#讀取權限,設置用戶testu的消費者權限 bin/kafka-acls.sh --authorizer-properties zookeeper.connect=node01:2181 --add --allow-principal User:"testuc" --consumer --topic 'testtopic' --group '*'#寫入權限,設置用戶testu的生產者權限 bin/kafka-acls.sh --authorizer-properties zookeeper.connect=node01:2181 --add --allow-principal User:"testup" --producer --topic 'testtopic'#查看權限 bin/kafka-acls.sh --authorizer-properties zookeeper.connect=node01:2181 --list#認證配置文件 security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="testup" password="123456";#生產者 bin/kafka-console-producer.sh --broker-list node01:9092 --topic testtopic --producer.config config/testup.conf#消費者 bin/kafka-console-consumer.sh --bootstrap-server node01:9092 --topic testtopic --consumer.config config/testuc.conf#查看所有groupid bin/kafka-consumer-groups.sh --bootstrap-server node01:9092 --list --command-config config/admin.conf#查看offset bin/kafka-consumer-groups.sh --bootstrap-server node01:9092 --describe --group test-consumer-group --command-config config/admin.conf#查看消息內容: 消息追蹤 bin/kafka-run-class.sh kafka.tools.DumpLogSegments --files /webapps/kafka/logs/mytest-0/00000000000000000000.log --print-data-log #注 #Logstash對SASL/SCRAM僅為beta版支持 https://www.elastic.co/guide/en/beats/journalbeat/master/kafka-output.html#_sasl_mechanism sasl.mechanismedit This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.The SASL mechanism to use when connecting to Kafka. It can be one of:PLAIN for SASL/PLAIN. SCRAM-SHA-256 for SCRAM-SHA-256. SCRAM-SHA-512 for SCRAM-SHA-512. If sasl.mechanism is not set, PLAIN is used if username and password are provided. Otherwise, SASL authentication is disabled.To use GSSAPI mechanism to authenticate with Kerberos, you must leave this field empty, and use the kerberos options.#filebeat僅master分支支持SCRAM-SHA-512 https://github.com/elastic/beats/pull/12867 https://github.com/elastic/beats/issues/8387 https://github.com/elastic/beats/issues/16723#SCRAM https://tools.ietf.org/html/rfc5802#section-9總結
以上是生活随笔為你收集整理的Kafka集群的安全认证机构 SASL_SCRAM的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 六,基于FPGA的高速串行通信GTX知识
- 下一篇: UI自动化之-使用DD_XOFT实现带有