CDK 2.0 and higher Powered By Apache Kafka supports Kerberos authentication, but it is supported only for the new Kafka Producer and Consumer APIs. If you already have a Kerberos server, you can add Kafka to your current configuration. If you do not have a Kerberos server, install it before proceeding. See Enabling Kerberos Authentication Using the Wizard.

If you already have configured the mapping from Kerberos principals to short names using the hadoop.security.auth_to_local HDFS configuration property, configure the same rules for Kafka by adding the sasl.kerberos.principal.to.local.rules property to the Advanced Configuration Snippet for Kafka Broker Advanced Configuration Snippet using Cloudera Manager. Specify the rules as a comma separated list.

To enable Kerberos authentication for Kafka:

  1. From Cloudera Manager, navigate to Kafka > Configurations. Set SSL client authentication to none. Set Inter Broker Protocol to SASL_PLAINTEXT.
  2. Click Save Changes.
  3. Restart the Kafka service.
  4. Make sure that listeners = SASL_PLAINTEXT is present in the Kafka broker logs /var/log/kafka/server.log.
  5. Create a jaas.conf file with the following contents to use with cached Kerberos credentials (you can modify this to use keytab files instead of cached credentials. To generate keytabs, see Step 6: Get or Create a Kerberos Principal for Each User Account).

    If you use kinit first, use this configuration.

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useTicketCache=true;
    
};
    If you use keytab, use this configuration:

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useKeyTab=true
    
keyTab="/etc/security/keytabs/kafka_server.keytab"
    
principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
    
};
  6. Create the client.properties file containing the following properties. 
    security.protocol=SASL_PLAINTEXT
    
sasl.kerberos.service.name=kafka
  7. Test with the Kafka console producer and consumer. To obtain a Kerberos ticket-granting ticket (TGT): 
    $ kinit <user>
  8. Verify that your topic exists. (This does not use security features, but it is a best practice.) 
    $ kafka-topics --list --zookeeper <zkhost>:2181
  9. Verify that the jaas.conf file is used by setting the environment. 
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/user/jaas.conf"
  10. Run a Kafka console producer. 
    $ kafka-console-producer --broker-list <anybroker>:9092 --topic test1
    
--producer.config client.properties
  11. Run a Kafka console consumer. 
    $ kafka-console-consumer --new-consumer --topic test1 --from-beginning
    
--bootstrap-server <anybroker>:9092 --consumer.config client.properties

kafka Enabling Kerberos Authentication的更多相关文章

  1. flume集成kafka(kafka开启kerberos)配置

    根据flume官网:当kafka涉及kerberos认证: 涉及两点配置,如下: 配置一:见下实例中红色部分 配置conf实例: [root@gz237-107 conf]# cat flume_sl ...

  2. FIM 2010: Kerberos Authentication Setup

    The goal of this article is to provide some background information regarding the Kerberos related co ...

  3. Problem of Creating Topics in Kafka with Kerberos

    Hi, After enabled Kerberos using Ambari, I got problem creating topics in Kafka using the kafka-topi ...

  4. Step by Step Recipe for Securing Kafka with Kerberos

    Short Description: Step by Step Recipe for Securing Kafka with Kerberos. Article I found it is a lit ...

  5. hiveserver2 with kerberos authentication

    Kerberos协议: Kerberos协议主要用于计算机网络的身份鉴别(Authentication), 其特点是用户只需输入一次身份验证信息就可以凭借此验证获得的票据(ticket-grantin ...

  6. 进行Spark,Kafka针对Kerberos相关配置

    1. 提交任务的命令 spark-submit \--class <classname> \--master yarn \--deploy-mode client \--executor- ...

  7. Kafka集成Kerberos之后如何使用生产者消费者命令

    1.生产者1.1.准备jaas.conf并添加到环境变量(使用以下方式的其中一种)1.1.1.使用Kinit方式前提是手动kinit 配置内容为: KafkaClient { com.sun.secu ...

  8. kafka实战kerberos

    more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log a ...

  9. kafka 配置kerberos校验以及开启acl实践

    转载请注明原创地址:http://www.cnblogs.com/dongxiao-yang/p/7131626.html kafka从0.9版本以后引入了集群安全机制,由于最近需要新搭建一套kafk ...

随机推荐

  1. php对接app支付宝支付出错Cannot redeclare Decrypt()

    报错原因: alipaySDK中定义的Encrypt()/Decrypt()函数与Laravel中定义的Encrypt()/Decrypt()函数重名了. 解决办法: 修改alipaySDK中定义的函 ...

  2. 【JSTL】JSTL标签库的常用标签

    一.JSTL技术 1.JSTL概述 JSTL(JSP Standard Tag Library),JSP标准标签库,可以嵌入在jsp页面中使用标签的形式完成业务逻辑等功能.jstl出现的目的同el一样 ...

  3. 【转】Pandas学习笔记(一)基本介绍

    Pandas学习笔记系列: Pandas学习笔记(一)基本介绍 Pandas学习笔记(二)选择数据 Pandas学习笔记(三)修改&添加值 Pandas学习笔记(四)处理丢失值 Pandas学 ...

  4. 201871010123-吴丽丽《面向对象程序设计(Java)》第四周学习总结

    201871010123-吴丽丽<面向对象程序设计(Java)>第四周学习总结 项目 内容 这个作业属于哪个课程 https://www.cnblogs.com/nwnu-daizh/ 这 ...

  5. pypi 打包分发

    打包Python项目 本教程将指导您如何打包一个简单的Python项目.它将向您展示如何添加必要的文件和结构来创建包,如何构建包以及如何将其上载到Python包索引. 一个简单的项目 本教程使用一个名 ...

  6. wordpress调用指定类型post_type的文章

    wordpress很强大,可以添加多种post_type文章类型,假如我们要调用product产品模型的文章要如何操作呢?随ytkah一起来看看吧.我们用'post_type' => 'prod ...

  7. js数组详解,js数组操作

    转自 http://www.cnblogs.com/qiantuwuliang/archive/2011/01/08/1930499.html 1.数组的创建 var arrayObj = new A ...

  8. GO 解决使用bee工具,报 bash: bee: command not found

    我最近使用beego时,遇到以下问题:command not found使用vscode时,运行bee run,报以下错 我查到一篇文章csdn,说用拷贝bee.exe方法,我觉得纯扯淡 如何解决? ...

  9. Pandas | 27 注意事项&窍门

    警告和疑难意味着一个看不见的问题.在使用Pandas过程中,需要特别注意的地方. 与Pandas一起使用If/Truth语句 当尝试将某些东西转换成布尔值时,Pandas遵循了一个错误的惯例. 这种情 ...

  10. django @login_required登录限制(2)-返回登陆成功后的页面

    本次要实现的功能是,访问未登录的视图函数,需要先跳转到登录页面,登陆成功在跳转回来. 之前在网上找了很多资料,都没有找到解决方案. 跳转到登录页面很好弄,就是登陆成功跳转回来出了问题,原因是登录后的p ...