Authentication using SASL/Kerberos
Prerequisites
- Kerberos
If your organization is already using a Kerberos server (for example, by using Active Directory), there is no need to install a new server just for Kafka. Otherwise you will need to install one, your Linux vendor likely has packages for Kerberos and a short guide on how to install and configure it (Ubuntu, Redhat). Note that if you are using Oracle Java, you will need to download JCE policy files for your Java version and copy them to $JAVA_HOME/jre/lib/security. - Create Kerberos Principals
If you are using the organization's Kerberos or Active Directory server, ask your Kerberos administrator for a principal for each Kafka broker in your cluster and for every operating system user that will access Kafka with Kerberos authentication (via clients and tools).
If you have installed your own Kerberos, you will need to create these principals yourself using the following commands:12sudo/usr/sbin/kadmin.local-q'addprinc -randkey kafka/{hostname}@{REALM}'sudo/usr/sbin/kadmin.local-q"ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka/{hostname}@{REALM}" - Make sure all hosts can be reachable using hostnames - it is a Kerberos requirement that all your hosts can be resolved with their FQDNs.
- Kerberos
Configuring Kafka Brokers
- Add a suitably modified JAAS file similar to the one below to each Kafka broker's config directory, let's call it kafka_server_jaas.conf for this example (note that each broker should have its own keytab):
12345678910111213141516
KafkaServer {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=truestoreKey=truekeyTab="/etc/security/keytabs/kafka_server.keytab"principal="kafka/kafka1.hostname.com@EXAMPLE.COM";};// Zookeeper client authenticationClient {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=truestoreKey=truekeyTab="/etc/security/keytabs/kafka_server.keytab"principal="kafka/kafka1.hostname.com@EXAMPLE.COM";};
KafkaServer
- section in the JAAS file tells the broker which principal to use and the location of the keytab where this principal is stored. It allows the broker to login using the keytab specified in this section. See
- Pass the JAAS and optionally the krb5 file locations as JVM parameters to each Kafka broker (see here for more details):
-Djava.security.krb5.conf=/etc/kafka/krb5.conf
-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf - Make sure the keytabs configured in the JAAS file are readable by the operating system user who is starting kafka broker.
- Configure SASL port and SASL mechanisms in server.properties as described here. For example:
listeners=SASL_PLAINTEXT://host.name:port
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
- for more details on Zookeeper SASL configuration.
We must also configure the service name in server.properties, which should match the principal name of the kafka brokers. In the above example, principal is "kafka/kafka1.hostname.com@EXAMPLE.com", so:
sasl.kerberos.service.name=kafka
- Add a suitably modified JAAS file similar to the one below to each Kafka broker's config directory, let's call it kafka_server_jaas.conf for this example (note that each broker should have its own keytab):
Configuring Kafka Clients
To configure SASL authentication on the clients:
- Clients (producers, consumers, connect workers, etc) will authenticate to the cluster with their own principal (usually with the same name as the user running the client), so obtain or create these principals as needed. Then configure the JAAS configuration property for each client. Different clients within a JVM may run as different users by specifiying different principals. The property
sasl.jaas.configin producer.properties or consumer.properties describes how clients like producer and consumer can connect to the Kafka Broker. The following is an example configuration for a client using a keytab (recommended for long-running processes):sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
useKeyTab=true \
storeKey=true \
keyTab="/etc/security/keytabs/kafka_client.keytab" \
principal="kafka-client-1@EXAMPLE.COM";For command-line utilities like kafka-console-consumer or kafka-console-producer, kinit can be used along with "useTicketCache=true" as in:
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
useTicketCache=true;JAAS configuration for clients may alternatively be specified as a JVM parameter similar to brokers as described here. Clients use the login section named KafkaClient. This option allows only one user for all client connections from a JVM.
- Make sure the keytabs configured in the JAAS configuration are readable by the operating system user who is starting kafka client.
- Optionally pass the krb5 file locations as JVM parameters to each client JVM (see here for more details):
-Djava.security.krb5.conf=/etc/kafka/krb5.conf
- Configure the following properties in producer.properties or consumer.properties:
security.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
- Clients (producers, consumers, connect workers, etc) will authenticate to the cluster with their own principal (usually with the same name as the user running the client), so obtain or create these principals as needed. Then configure the JAAS configuration property for each client. Different clients within a JVM may run as different users by specifiying different principals. The property
Authentication using SASL/Kerberos的更多相关文章
- kafka Authentication using SASL/Kerberos
Authentication using SASL/Kerberos Prerequisites KerberosIf your organization is already using a Ker ...
- kafka Enabling Kerberos Authentication
CDK 2.0 and higher Powered By Apache Kafka supports Kerberos authentication, but it is supported onl ...
- 《转》谈谈基于Kerberos的Windows Network Authentication
http://www.cnblogs.com/artech/archive/2007/07/05/807492.html 基本原理引入Key Distribution: KServer-Client从 ...
- 为CDH 5.7集群添加Kerberos身份验证及Sentry权限控制
转载请注明出处:http://www.cnblogs.com/xiaodf/ 4. 为CDH 5集群添加Kerberos身份验证 4.1 安装sentry1.点击“操作”,“添加服务”:2.选择sen ...
- YARN & HDFS2 安装和配置Kerberos
今天尝试在Hadoop 2.x开发集群上配置Kerberos,遇到一些问题,记录一下 设置hadoop security core-site.xml <property> <name ...
- 挖坑:hive集成kerberos
集成hive+kerberos前,hadoop已经支持kerberos,所以基础安装略去: https://www.cnblogs.com/garfieldcgf/p/10077331.html 直接 ...
- 挖坑:handoop2.6 开启kerberos(全流程学习记录)
目录: 1.涉及插件简介 2.安装步骤 3.日志错误查看 1.kerberos是什么东西 度娘指导: Kerberos 是一种网络认证协议,其设计目标是通过密钥系统为 客户机 / 服务器 应用程序提供 ...
- Centos 7 集成安装Apache+PHP+Kerberos+LDAP+phpLDAPadmin
一.安装Apache 1.1.安装Apache Apache程序是目前拥有很高市场占有率的Web服务程序之一,其跨平台和安全性广泛被认可且拥有快速.可靠.简单的API扩展. 它的名字取自美国印第安人土 ...
- Ubuntu 16.04 集成安装Apache+PHP+Kerberos+LDAP+phpLDAPadmin
一.安装Apache 1.1.安装Apache apt-get update apt-get install apache2 过程如下: root@duke01:~# apt-get update命中 ...
随机推荐
- angular6 使用tooltip
准备 为了使用tooltip,可以安装ng-bootstrap组件,它包含两个依赖: angular:5.0以上版本: bootstrap css: 4.0版本. 安装好bootstrap之后,更新a ...
- php获取ssl验证的https页面的源码
$response = "https://faculty.xidian.edu.cn/system/resource/tsites/tsitesencrypt.jsp?id=_tsites_ ...
- 部署ceph存储集群及块设备测试
集群环境 配置基础环境 添加ceph.repo wget -O /etc/yum.repos.d/ceph.repo https://raw.githubusercontent.com/aishang ...
- dapi 基于Django的轻量级测试平台四 任务设置
QQ群: GitHub:https://github.com/yjlch1016/dapi 一.间隔时间: 二.定时时间: 三.任务设置: 四.任务结果:
- 回顾Python装饰器
函数装饰器(function decorator)可以对函数进行“标注”,给函数提供更多的特性. 在理解装饰器之前需要理解闭包(closure).Python3.0 引入了保留关键字 nonlocal ...
- HDU - 5126: stars (求立方体内点数 CDQ套CDQ)
题意:现在给定空空的三维平面,有加点操作和询问立方体点数. 思路:考虑CDQ套CDQ.复杂度是O(NlogN*logN*logN),可以过此题. 具体的,这是一个四维偏序问题,4维分别是(times, ...
- CUDA10安装配置
https://developer.nvidia.com/cuda-downloads?target_os=Windows&target_arch=x86_64&target_vers ...
- Pandas | 12 选项和自定义
Pandas提供API来自定义其行为的某些方面,大多使用来显示. API由五个相关函数组成.它们分别是: get_option() set_option() reset_option() descri ...
- Native Clojure with GraalVM
转自:https://www.innoq.com/en/blog/native-clojure-and-graalvm/ GraalVM is a fascinating piece of techn ...
- 云服务器使用: 购买域名,域名绑定IP
有没有不知道域名是什么的,但是大家一定知道访问域名就是访问绑定在域名上的IP地址 域名有个好处就是一个域名可以绑定多个IP. 举个例子:百度的域名是https://www.baidu.com/ 然后咱 ...