使用 Kerberos 保护 Kafka 和 Zookeeper
[英]Securing Kafka and Zookeeper with Kerberos
问题描述
I'm trying to setup a kerberos identification between zookeeper and kafka.
我正在尝试在 zookeeper 和 kafka 之间设置 kerberos 标识。
I have followed the configuration steps available here : https://docs.confluent.io/4.1.1/kafka/authentication_sasl_gssapi.html#sasl-gssapi-broker .我遵循了此处提供的配置步骤: https : //docs.confluent.io/4.1.1/kafka/authentication_sasl_gssapi.html#sasl-gssapi-broker 。
The kafka brokers successfully connect to the zookeeper ensemble and the brokers are setting ACLs on znodes. kafka 代理成功连接到 zookeeper 集合,并且代理正在 znode 上设置 ACL。
In Zookeeper, I can see the znodes /brokers/ids, but the ACLs are set like this :在 Zookeeper 中,我可以看到 znodes /brokers/ids,但 ACL 设置如下:
'world,'anyone
: r
'sasl,'kafka/kafka-broker-01.c.aesthetic-way-193809.internal@MYREALM.COM
: cdrwa
The first broker creates the znode, put its ACL and make it unmodiafiable for all nodes that want to add their ids.第一个代理创建 znode,放置其 ACL 并使其对于所有想要添加其 id 的节点不可修改。
The docs says that we should use the same principal for all the brokers but the example of the documentation does not match this recommendation :文档说我们应该对所有代理使用相同的主体,但文档示例与此建议不符:
// ZooKeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_server.keytab"
principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
};
Shoud I create a principal like kafka_zk_cli@MYREALM.COM and use it the Client section of my JAAS file on each broker ?我应该创建一个像 kafka_zk_cli@MYREALM.COM 这样的主体并将它用于每个代理上我的 JAAS 文件的客户端部分吗? If yes can I share the keytab for this user on each broker ?如果是,我可以在每个经纪人上共享此用户的密钥表吗?
Thanks for the help.谢谢您的帮助。
2 个解决方案
解决方案1
1 已采纳 2018-06-14 01:38:20
You can drop the host from the principal and use the same one for all brokers, you can set acls manually (not ideal), or you can add these to your zookeeper configuration as well您可以从主体中删除主机并为所有代理使用相同的主机,您可以手动设置 acls(不理想),或者您也可以将这些添加到您的 Zookeeper 配置中
kerberos.removeHostFromPrincipal = true
kerberos.removeRealmFromPrincipal = true
Any of those three options should help here.这三个选项中的任何一个都应该在这里有所帮助。
解决方案2
0 2019-08-19 14:48:15
The properties kerberos.removeHostFromPrincipal, kerberos.removeRealmFromPrincipal were not working for me.属性 kerberos.removeHostFromPrincipal, kerberos.removeRealmFromPrincipal 对我不起作用。 After going through the source code of zookeeper version 3.4.14 I passed the above property as an JVM argument such as在浏览了 zookeeper 版本 3.4.14 的源代码后,我将上述属性作为 JVM 参数传递,例如
-Dzookeeper.kerberos.removeHostFromPrincipal=true
-Dzookeeper.kerberos.removeRealmFromPrincipal=true
Also In my case as it was the case of cross realm ticket authetication, I added the auth rules like :另外在我的情况下,因为它是跨领域票证身份验证的情况,我添加了身份验证规则,例如:
-Dzookeeper.security.auth_to_local=RULE:[2:$1](.*)
Have a look at the class https://github.com/apache/zookeeper/blob/release-3.4.14/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java看看类https://github.com/apache/zookeeper/blob/release-3.4.14/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
Now my topics ACLS look like this现在我的主题 ACLS 看起来像这样
getAcl /kafka-cluster/config/topics/test20
'world,'anyone
: r
'sasl,'zookeeper
: cdrwa
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.