【问题标题】:Bypass kafka authorization for port 9092 (plaintext)绕过 9092 端口的 kafka 授权(明文)
【发布时间】:2021-10-09 08:24:47
【问题描述】:

我想为使用 docker 运行的 confluent kafka 添加身份验证和授权。这应该只发生在端口 9093 上,9092 应该像以前一样工作,因为该端口被 ip 表规则阻止外部客户端使用。因此我使用了以下配置:

=> 9093 SASL_SSL
=> 9092 明文

这是我的配置的一部分:
Kafka 容器环境变量

  - KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://my.host.ip:9092,SASL_SSL://my.host.ip:9093
  - KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND=false
  - KAFKA_SSL_CLIENT_AUTH=required
  - KAFKA_SECURITY_INTER_BROKER_PROTOCOL=SASL_SSL
  - KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
  - KAFKA_SASL_ENABLED_MECHANISMS=PLAIN
  - KAFKA_AUTHORIZER_CLASS_NAME=kafka.security.authorizer.AclAuthorizer
  - KAFKA_SUPER_USERS="User:admin"
  - KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets

Zookeeper 容器环境变量

  - ZOOKEEPER_SERVERS=0.0.0.0:2888:3888;my.host.ip:2888:3888
  - ZOOKEEPER_SERVER_ID=1
  - ZOOKEEPER_CLIENT_PORT=2181
  - ZOOKEEPER_STANDALONE_ENABLED=false
  - ZOOKEEPER_DATA_DIR=/kafka/data
  - ZOOKEEPER_AUTH_PROVIDER_SASL=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
  - KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf

由于我只想为 SASL_SSL 侦听器配置身份验证机制,因此我使用以下 jaas 配置,如下所述:https://docs.confluent.io/platform/current/kafka/authentication_sasl/index.html#recommended-broker-jaas-configuration

kafka_jaas.config

KafkaServer {
listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
  username="admin"
  password="admin"
  user_admin="admin"
};

Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
 username="admin"
 password="admin";
};

zookeeper_jaas.config

Server {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       user_admin="admin";
};

当我运行 kafka 时,出现以下错误:

[main-SendThread(s415vm2140.detss.corpintra.net:2181)] WARN org.apache.zookeeper.ClientCnxn - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/kafka/secrets/kafka_jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: Configuration Error:
    Line 2: expected [controlFlag] Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.

如何实现客户端连接9092端口时不需要认证?

【问题讨论】:

  • 那个“错误”是来自 Zookeeper 客户端的警告,与 Kafka 客户端 SSL/SASL 连接无关。您还应该显示您的 Zookeeper 设置

标签: docker apache-kafka


【解决方案1】:

在这里阅读更多: https://docs.confluent.io/platform/current/security/zk-security.html

您将 Zookeeper 设置为使用摘要,您将客户端设置为 Plain, 关于kafka_jaas

KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
     username="admin"
      password="admin"
      user_admin="admin";
};

Client {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       username="admin"
       password="admin";
};

在 zookeeper_jaas 中

Server {
   org.apache.zookeeper.server.auth.DigestLoginModule required
       username="admin"
       password="admin"
       user_admin="admin";
};


附: 1.你的KafkaServer中的listener.name.sasl_ssl.plain.sasl.jaas.config=不正确

  1. 你缺少“;”

这里还有一个使用普通配置的示例

Kafka SASL zookeeper authentication

【讨论】:

    猜你喜欢
    • 2021-10-08
    • 2016-08-01
    • 1970-01-01
    • 2020-09-27
    • 2014-07-23
    • 1970-01-01
    • 1970-01-01
    • 2021-03-15
    • 2020-09-30
    相关资源
    最近更新 更多