kafka如何开启kerberos认证

标签：kerberos 认证 conf kafka sasl server config

参考：        https://www.cnblogs.com/wuyongyin/p/15624452.html kerberos基本原理     

  　　 https://www.cnblogs.com/wuyongyin/p/15634397.html kerberos安装及使用     

　　　　　https://www.jianshu.com/p/c7d3051ca075     kafka开启kerberos认证

 

修改主机配置，新增 centos-01

1、创建keytab

kadmin.local:  add_principal -randkey kafka-server/centos-01@ABC.COM

kadmin.local:  add_principal -randkey [email protected]

kadmin.local:  xst -k /root/kafka-server.keytab kafka-server/centos-01@ABC.COM

kadmin.local:  xst -k /root/kafka-client.keytab [email protected]

2、服务端配置

a) 创建目录kafka/config/kerberos，拷贝etc/krb5.conf和keytab文件到此文件夹，

　　　　　　　　　　　　注意：注释renew_lifetime = 7d行，否则后续会报错

b) 复制kafka/config/server.properties文件到kafka/config/server-sasl.properties，新增

listeners=SASL_PLAINTEXT://centos-01:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka-server

c) 新建文件kafka/config/kerberos/kafka-server-jaas.conf,内容如下

KafkaServer {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/root/kafka/config/kerberos/kafka-server.keytab"
   storeKey=true
   useTicketCache=false
   principal="kafka-server/[email protected]";
};

 

d) 复制/kafka/bin/kafka-server-start.sh至/kafka/bin/kafka-server-start-sasl.sh, 最后exec命令之前加上环境变量声明

 export KAFKA_OPTS="-Djava.security.krb5.conf=/root/kafka/config/kerberos/krb5.conf -Djava.security.auth.login.config=/root/kafka/config/kerberos/kafka-server-jaas.conf"

 

3、客户端配置

a) 创建目录kafka/config/kerberos，拷贝etc/krb5.conf和keytab文件到此文件夹

　　注释renew_lifetime = 7d行，否则后续会报错

b) 新建文件kafka/config/kerberos/kafka-client-jaas.conf，内容如下

KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/root/kafka/config/kerberos/kafka-client.keytab"
   storeKey=true
   useTicketCache=false
   principal="[email protected]";
};

c) 新建文件/kafka/config/client-sasl.properties,内容如下

security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka-server

d) 复制 /kafka/bin/kafka-console-producer.sh 至 /kafka/bin/kafka-console-producer-sasl.sh, 并在最后一行exec之前添加

export KAFKA_OPTS="-Djava.security.krb5.conf=/root/kafka/config/kerberos/krb5.conf -Djava.security.auth.login.config=/root/kafka/config/kerberos/kafka-client-jaas.conf"

4、启动测试

服务端启动kafka

./bin/kafka-server-start-sasl.sh -daemon config/server-sasl.properties

客户端启动生产者连接

 ./kafka-console-producer-sasl.sh --topic test-topics --bootstrap-server 127.0.0.1:9092 --producer.config /root/kafka/config/client-sasl.properties

 

 

 

标签：kerberos,认证,conf,kafka,sasl,server,config
From： https://www.cnblogs.com/ho966/p/17114988.html