【发布时间】:2021-10-09 08:24:47
【问题描述】:
我想为使用 docker 运行的 confluent kafka 添加身份验证和授权。这应该只发生在端口 9093 上,9092 应该像以前一样工作,因为该端口被 ip 表规则阻止外部客户端使用。因此我使用了以下配置:
=> 9093 SASL_SSL
=> 9092 明文
这是我的配置的一部分:
Kafka 容器环境变量
- KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://my.host.ip:9092,SASL_SSL://my.host.ip:9093
- KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND=false
- KAFKA_SSL_CLIENT_AUTH=required
- KAFKA_SECURITY_INTER_BROKER_PROTOCOL=SASL_SSL
- KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
- KAFKA_SASL_ENABLED_MECHANISMS=PLAIN
- KAFKA_AUTHORIZER_CLASS_NAME=kafka.security.authorizer.AclAuthorizer
- KAFKA_SUPER_USERS="User:admin"
- KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets
Zookeeper 容器环境变量
- ZOOKEEPER_SERVERS=0.0.0.0:2888:3888;my.host.ip:2888:3888
- ZOOKEEPER_SERVER_ID=1
- ZOOKEEPER_CLIENT_PORT=2181
- ZOOKEEPER_STANDALONE_ENABLED=false
- ZOOKEEPER_DATA_DIR=/kafka/data
- ZOOKEEPER_AUTH_PROVIDER_SASL=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
- KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf
由于我只想为 SASL_SSL 侦听器配置身份验证机制,因此我使用以下 jaas 配置,如下所述:https://docs.confluent.io/platform/current/kafka/authentication_sasl/index.html#recommended-broker-jaas-configuration。
kafka_jaas.config
KafkaServer {
listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin"
user_admin="admin"
};
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin";
};
zookeeper_jaas.config
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="admin";
};
当我运行 kafka 时,出现以下错误:
[main-SendThread(s415vm2140.detss.corpintra.net:2181)] WARN org.apache.zookeeper.ClientCnxn - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/kafka/secrets/kafka_jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 2: expected [controlFlag] Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
如何实现客户端连接9092端口时不需要认证?
【问题讨论】:
-
那个“错误”是来自 Zookeeper 客户端的警告,与 Kafka 客户端 SSL/SASL 连接无关。您还应该显示您的 Zookeeper 设置
标签: docker apache-kafka