CDK 2.0 and higher Powered By Apache Kafka supports Kerberos authentication, but it is supported only for the new Kafka Producer and Consumer APIs. If you already have a Kerberos server, you can add Kafka to your current configuration. If you do not have a Kerberos server, install it before proceeding. See Enabling Kerberos Authentication Using the Wizard.

If you already have configured the mapping from Kerberos principals to short names using the hadoop.security.auth_to_local HDFS configuration property, configure the same rules for Kafka by adding the sasl.kerberos.principal.to.local.rules property to the Advanced Configuration Snippet for Kafka Broker Advanced Configuration Snippet using Cloudera Manager. Specify the rules as a comma separated list.

To enable Kerberos authentication for Kafka:

  1. From Cloudera Manager, navigate to Kafka > Configurations. Set SSL client authentication to none. Set Inter Broker Protocol to SASL_PLAINTEXT.
  2. Click Save Changes.
  3. Restart the Kafka service.
  4. Make sure that listeners = SASL_PLAINTEXT is present in the Kafka broker logs /var/log/kafka/server.log.
  5. Create a jaas.conf file with the following contents to use with cached Kerberos credentials (you can modify this to use keytab files instead of cached credentials. To generate keytabs, see Step 6: Get or Create a Kerberos Principal for Each User Account).

    If you use kinit first, use this configuration.

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useTicketCache=true;
    
};
    If you use keytab, use this configuration:

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useKeyTab=true
    
keyTab="/etc/security/keytabs/kafka_server.keytab"
    
principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
    
};
  6. Create the client.properties file containing the following properties. 
    security.protocol=SASL_PLAINTEXT
    
sasl.kerberos.service.name=kafka
  7. Test with the Kafka console producer and consumer. To obtain a Kerberos ticket-granting ticket (TGT): 
    $ kinit <user>
  8. Verify that your topic exists. (This does not use security features, but it is a best practice.) 
    $ kafka-topics --list --zookeeper <zkhost>:2181
  9. Verify that the jaas.conf file is used by setting the environment. 
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/user/jaas.conf"
  10. Run a Kafka console producer. 
    $ kafka-console-producer --broker-list <anybroker>:9092 --topic test1
    
--producer.config client.properties
  11. Run a Kafka console consumer. 
    $ kafka-console-consumer --new-consumer --topic test1 --from-beginning
    
--bootstrap-server <anybroker>:9092 --consumer.config client.properties

kafka Enabling Kerberos Authentication的更多相关文章

  1. flume集成kafka(kafka开启kerberos)配置

    根据flume官网:当kafka涉及kerberos认证: 涉及两点配置,如下: 配置一:见下实例中红色部分 配置conf实例: [root@gz237-107 conf]# cat flume_sl ...

  2. FIM 2010: Kerberos Authentication Setup

    The goal of this article is to provide some background information regarding the Kerberos related co ...

  3. Problem of Creating Topics in Kafka with Kerberos

    Hi, After enabled Kerberos using Ambari, I got problem creating topics in Kafka using the kafka-topi ...

  4. Step by Step Recipe for Securing Kafka with Kerberos

    Short Description: Step by Step Recipe for Securing Kafka with Kerberos. Article I found it is a lit ...

  5. hiveserver2 with kerberos authentication

    Kerberos协议: Kerberos协议主要用于计算机网络的身份鉴别(Authentication), 其特点是用户只需输入一次身份验证信息就可以凭借此验证获得的票据(ticket-grantin ...

  6. 进行Spark,Kafka针对Kerberos相关配置

    1. 提交任务的命令 spark-submit \--class <classname> \--master yarn \--deploy-mode client \--executor- ...

  7. Kafka集成Kerberos之后如何使用生产者消费者命令

    1.生产者1.1.准备jaas.conf并添加到环境变量(使用以下方式的其中一种)1.1.1.使用Kinit方式前提是手动kinit 配置内容为: KafkaClient { com.sun.secu ...

  8. kafka实战kerberos

    more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log a ...

  9. kafka 配置kerberos校验以及开启acl实践

    转载请注明原创地址:http://www.cnblogs.com/dongxiao-yang/p/7131626.html kafka从0.9版本以后引入了集群安全机制,由于最近需要新搭建一套kafk ...

随机推荐

  1. 关于paths.get()方法的参数的使用

    背景:项目中使用了一个第三方的jar包,里面用到了paths.get("xxx"),xxx表示的是配置文件,提供给用户自己制定的 问题就是这个xxx文件应该放到项目的什么地方去,测 ...

  2. Linux的rpm管理

                            书山有路勤为径,学海无涯苦作舟 自学linux已经有几天了,感觉还可以.坚持下去,就会有收获. 每个系统都用相应的软件的管理,Linux也不例外.下面讲 ...

  3. Windows中的txt文件到Mac打开是乱码 解决办法

    在Mac下打开“文本编辑”程序之后,选择菜单“文本编辑” -> “偏好设置”.2)在“偏好设置”中选择第二个标签页“打开和存储”,选择“纯文本文件编码”中的“打开文件”和“存储文件”修改成为“中 ...

  4. yandexbot ip列表整理做俄罗斯市场的站长可以关注一下

    这段时间ytkah在负责一个客户的网站,主要做俄罗斯市场,当然是要研究Yandex了,首先是要知道yandexbot的ip有哪些,本文通过分析这个站从2018.12.02到2019.05.21这段时间 ...

  5. ppt演讲者视图不可用的解决办法

    1. 关闭ppt 2. 对着桌面右键,选择:nView Desktop Manager 3. 应用程序--增强--去掉“添加Powerpoint幻灯片显示扩展程序(W)”

  6. CF308C-Sereja and Brackets-(线段树+括号匹配)

    题意:给出一段括号,多次询问某个区间内能匹配多少括号. 题解:线段树,结构体三个属性,多余的左括号l,多余的右括号r,能够匹配的括号数val. 当前结点的val=左儿子的val+右儿子的val+min ...

  7. 写入Txt文本信息

    public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { L ...

  8. ajax和json的优缺点

    ajax:AJAX全称是"Asynchronous JavaScript and XML"(异步Javascript和XML),是一种创建交互式网页应用的网页开发技术. 优点: 1 ...

  9. 洛谷 P1816 忠诚 题解

    P1816 忠诚 题目描述 老管家是一个聪明能干的人.他为财主工作了整整10年,财主为了让自已账目更加清楚.要求管家每天记k次账,由于管家聪明能干,因而管家总是让财主十分满意.但是由于一些人的挑拨,财 ...

  10. 深入js系列-环境

    javascript运行环境 js如果只在引擎中运行,它会严格遵循并且可以预测的,但是js几乎都在宿主环境中运行,浏览器或者Node环境 ECMAScript中的Annex B 介绍了浏览器兼容性问题 ...