Zookeeper和Kafka具有SASL安全性
[英]Zookeeper and Kafka with SASL security
问题描述
I've setup a Kafka cluster with SASL SCRAM security, and it's working fine. 
我已经设置了具有SASL SCRAM安全性的Kafka集群,并且工作正常。
Per the documentation, I have used the command kafka-configs.sh to create a username and password and grant that user access to a topic. 根据文档,我使用命令kafka-configs.sh创建用户名和密码,并授予该用户访问主题的权限。
That also works great. 那也很好。
However, the kafka-configs.sh command doesn't require any kind of authentication itself, so it occurs to me that ANYONE could run that command and create their own user in Kafka and grant their own permissions. 但是, kafka-configs.sh命令本身不需要任何身份验证,因此我想到任何人都可以运行该命令并在Kafka中创建自己的用户并授予自己的权限。
Perhaps I need to enable SASL security on Zookeeper? 也许我需要在Zookeeper上启用SASL安全性? But I can't find any consistent or working documentation on how to do that. 但是我找不到有关该操作的任何一致或有效的文档。 Adding properties to zookeeper.config like requireclientauthscheme=sasl doesn't seem to do anything. 像requireclientauthscheme=sasl这样将属性添加到zookeeper.config似乎没有任何作用。 Or at least it doesn't stop kafka-configs.sh from creating new users in zookeeper without any sort of authentication. 或者至少它不会阻止kafka-configs.sh在没有任何身份验证的情况下在zookeeper中创建新用户。
Am I even going down a viable path here? 我什至在这里走一条可行的道路吗? Or do I need to back up and do something different? 还是我需要备份并执行其他操作?
For reference, I'm using Kafka 1.0.0 and Zookeper 3.4.11. 作为参考,我使用的是Kafka 1.0.0和Zookeper 3.4.11。 But I'm flexible on versions if some other version works better. 但是如果其他版本的效果更好,我会在版本上保持灵活性。
Any help appreciated! 任何帮助表示赞赏! :) :)
Thanks! 谢谢!
1 个解决方案
解决方案1
2 2018-01-11 14:48:03
I've finally hacked through a solution for this. 我终于解决了这个问题。 :) :)
Basically, you need to use Zookeeper's on setAcl command to lock down the node /config/users . 基本上,您需要使用Zookeeper的setAcl命令来锁定节点/config/users 。 The documentation of how to use SASL to authenticate a Zookeeper ACL is poor at best. 关于如何使用SASL对Zookeeper ACL进行身份验证的文档充其量是充斥的。 The normal Zookeeper mechanism of using addauth to authenticate doesn't work with SASL, because SASL has to happen at startup, not later as Zookeeper expects. 使用addauth进行身份验证的常规Zookeeper机制addauth用于SASL,因为SASL必须在启动时发生,而不是Zookeeper期望的那样。
The syntax for setAcl is tricky, and if you get it wrong you can lock yourself out forever. setAcl的语法很棘手,如果弄错了,可以将自己永远锁定。 So be careful. 所以要小心 But Zookeeper does have a way to inject a super-user at startup to get yourself out of situations like that. 但是Zookeeper确实有一种在启动时注入超级用户的方法,以使您摆脱这种情况。
So for your kafka-configs.sh , you have to specify the -Djava.security.auth.login.config=[some file] parameter to pass in your client credentials to Zookeeper. 因此,对于kafka-configs.sh ,您必须指定-Djava.security.auth.login.config=[some file]参数,以将客户端凭据传递给Zookeeper。 And the server credentials are likewise in the JAAS file on the Zookeeper server. 服务器凭据同样在Zookeeper服务器上的JAAS文件中。
I can provide additional technical details on my solution if anyone needs them, but somehow I suspect I'm one of the few people trying to seriously secure Kafka and Zookeeper using SASL_SCRAM. 如果有人需要,我可以在其解决方案上提供其他技术详细信息,但是以某种方式我怀疑我是尝试使用SASL_SCRAM认真保护Kafka和Zookeeper的少数人之一。 :) :)
I do hope SASL_SCRAM catches on though, because Kerberos is a three-headed beast of a technology that I'd rather not use unless I have to. 我确实希望SASL_SCRAM能够继续发展下去,因为Kerberos是三头野兽,除非我必须这样做,否则我不希望使用它。 :P :P
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.