CDK 2.0 and higher Powered By Apache Kafka supports Kerberos authentication, but it is supported only for the new Kafka Producer and Consumer APIs. If you already have a Kerberos server, you can add Kafka to your current configuration. If you do not have a Kerberos server, install it before proceeding. See Enabling Kerberos Authentication Using the Wizard.

If you already have configured the mapping from Kerberos principals to short names using the hadoop.security.auth_to_local HDFS configuration property, configure the same rules for Kafka by adding the sasl.kerberos.principal.to.local.rules property to the Advanced Configuration Snippet for Kafka Broker Advanced Configuration Snippet using Cloudera Manager. Specify the rules as a comma separated list.

To enable Kerberos authentication for Kafka:

  1. From Cloudera Manager, navigate to Kafka > Configurations. Set SSL client authentication to none. Set Inter Broker Protocol to SASL_PLAINTEXT.
  2. Click Save Changes.
  3. Restart the Kafka service.
  4. Make sure that listeners = SASL_PLAINTEXT is present in the Kafka broker logs /var/log/kafka/server.log.
  5. Create a jaas.conf file with the following contents to use with cached Kerberos credentials (you can modify this to use keytab files instead of cached credentials. To generate keytabs, see Step 6: Get or Create a Kerberos Principal for Each User Account).

    If you use kinit first, use this configuration.

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useTicketCache=true;
    
};
    If you use keytab, use this configuration:

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useKeyTab=true
    
keyTab="/etc/security/keytabs/kafka_server.keytab"
    
principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
    
};
  6. Create the client.properties file containing the following properties. 
    security.protocol=SASL_PLAINTEXT
    
sasl.kerberos.service.name=kafka
  7. Test with the Kafka console producer and consumer. To obtain a Kerberos ticket-granting ticket (TGT): 
    $ kinit <user>
  8. Verify that your topic exists. (This does not use security features, but it is a best practice.) 
    $ kafka-topics --list --zookeeper <zkhost>:2181
  9. Verify that the jaas.conf file is used by setting the environment. 
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/user/jaas.conf"
  10. Run a Kafka console producer. 
    $ kafka-console-producer --broker-list <anybroker>:9092 --topic test1
    
--producer.config client.properties
  11. Run a Kafka console consumer. 
    $ kafka-console-consumer --new-consumer --topic test1 --from-beginning
    
--bootstrap-server <anybroker>:9092 --consumer.config client.properties

kafka Enabling Kerberos Authentication的更多相关文章

  1. flume集成kafka(kafka开启kerberos)配置

    根据flume官网:当kafka涉及kerberos认证: 涉及两点配置,如下: 配置一:见下实例中红色部分 配置conf实例: [root@gz237-107 conf]# cat flume_sl ...

  2. FIM 2010: Kerberos Authentication Setup

    The goal of this article is to provide some background information regarding the Kerberos related co ...

  3. Problem of Creating Topics in Kafka with Kerberos

    Hi, After enabled Kerberos using Ambari, I got problem creating topics in Kafka using the kafka-topi ...

  4. Step by Step Recipe for Securing Kafka with Kerberos

    Short Description: Step by Step Recipe for Securing Kafka with Kerberos. Article I found it is a lit ...

  5. hiveserver2 with kerberos authentication

    Kerberos协议: Kerberos协议主要用于计算机网络的身份鉴别(Authentication), 其特点是用户只需输入一次身份验证信息就可以凭借此验证获得的票据(ticket-grantin ...

  6. 进行Spark,Kafka针对Kerberos相关配置

    1. 提交任务的命令 spark-submit \--class <classname> \--master yarn \--deploy-mode client \--executor- ...

  7. Kafka集成Kerberos之后如何使用生产者消费者命令

    1.生产者1.1.准备jaas.conf并添加到环境变量(使用以下方式的其中一种)1.1.1.使用Kinit方式前提是手动kinit 配置内容为: KafkaClient { com.sun.secu ...

  8. kafka实战kerberos

    more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log a ...

  9. kafka 配置kerberos校验以及开启acl实践

    转载请注明原创地址:http://www.cnblogs.com/dongxiao-yang/p/7131626.html kafka从0.9版本以后引入了集群安全机制,由于最近需要新搭建一套kafk ...

随机推荐

  1. shell脚本遇到问题"$'\r': command not found"

    shell脚本写得一切正常,但是一执行就报错: line: XXX "$'\r': command not found" 问题原因:文件格式问题(虽然在window和linux上选 ...

  2. cmake设定boost python3

    在mac上操作的.python3是anaconda环境下装的,3.7.1. boost是用brew装的,1.71.0版本. 按照FindBoost.cmake官方写法的CMakeLists.txt: ...

  3. Django框架(十五)-- cookie和session组件

    一.cookie 1.cookie的由来 HTTP协议是无状态的.无状态的意思是每次请求都是独立的,它的执行情况和结果与前面的请求和之后的请求都无直接关系,它不会受前面的请求响应情况直接影响,也不会直 ...

  4. 实时通讯之Socket.io

    WebSocket WebSocket是HTML5开始提供的一种浏览器与服务器间进行全双工通讯的网络技术.使用WebSocket,浏览器和服务器只需要要做一个握手的动作,然后,浏览器和服务器之间就形成 ...

  5. JDK1.8 LocalDate 使用方式;LocalDate 封装Util,LocalDate工具类(四)

    未完待续 ........ 前言:       加班了好几天,终于结束上一个坑的项目了,项目交接人员全部离职,代码一行注释没有,无人问津的情况下,完成了项目,所以好的规范真的很重要. 继续日期改写 一 ...

  6. python抓取网站提示错误ssl.SSLCertVerificationError处理

    python在抓取制定网站的错误提示:ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify ...

  7. SparkSQL 中 RDD 、DataFrame 、DataSet 三者的区别与联系

    一.SparkSQL发展: Shark是一个为spark设计的大规模数据仓库系统,它与Hive兼容      Shark建立在Hive的代码基础上,并通过将Hive的部分物理执行计划交换出来(by s ...

  8. Git挽回错误的push(commit)

    若你的(zhu)队友不小心把错误的代码提交到远程仓库,特别是包含了很多删除文件指令,不要尝试使用Git的API修改,或者删除Git仓库里的某次提交记录,风险十分大,正确的做法是备份你的本地源码,然后拉 ...

  9. 学习-jdk8 特性

    jdk8新特性 Lambda 表达式 Lambda允许把函数作为一个方法的参数(函数作为参数传递进方法中.方法引用 − 方法引用提供了非常有用的语法,可以直接引用已有Java类或对象(实例)的方法或构 ...

  10. notapad++正则替换

    1.替换小数点后一位 XP_001663106.2XP_001662510.3XP_001655249.2XP_001655248.1NP_001165739.1 \.[0-9]或者\.\d #第一个 ...