使用SASL/PLAIN認(rèn)證
server端
1.配置broker
kafka_server_jaas.conf
內(nèi)容
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
username\password是broker初始化鏈接其他broker的使用的产阱;上例admin是內(nèi)部broker通信使用块仆;
user_[user]=[password]是用戶鏈接到broker合法驗(yàn)證使用的
2.添加JAAS配置到JVM的配置中,文件為kafka-server-start.sh
export KAFKA_OPTS="-Djava.security.auth.login.config=/home/app/projects/kafka/config/common/kafka_server_jaas.conf"
分割下解釋
-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf
該參數(shù)為添加為用戶認(rèn)證的server端
3.添加SASL端口和SASL認(rèn)證方式添加到 server.properties
listeners=SASL_PLAINTEXT://host.name:port
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
認(rèn)證權(quán)限配置
server.propert文件
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true //對(duì)所有用戶topic可見
super.users=User:Bob;User:Alice
client端
在kafka-console-producer.sh中添加
export KAFKA_OPTS="-Djava.security.auth.login.config=/home/app/projects/kafka/config/kafka_client_jaas.conf"
kafka_client_jaas.conf文件添加如下內(nèi)容
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="alice"
password="alice-secret";
};
添加配置在producer.properties或consumer.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
授權(quán)
~/projects/kafka/bin/kafk-acls.sh --authorizer-properties zookeeper.connect=localhost:2181/tkafka --add --allow-principal User:alice --operation Read --operation Write --topic T_acl-1
生產(chǎn)者
./projects/kafka/bin/kafka-console-producer.sh --broker-list 127.0.0.1:9092 --topic t-cal --producer.config ~/projects/kafka/config/producer.properties
消費(fèi)者
