[英]Want some practical example how to use kafkaUser
I am using Kafka with strimzi operator.我正在使用带有 strimzi 运算符的 Kafka。 I don't know how to use KafkaUser can anyone please suggest to me where I should learn it's practical implementation.我不知道如何使用 KafkaUser 任何人都可以向我建议我应该在哪里学习它的实际实现。 I just created a Kafka user and KafkaTopic now I am totally blank about what to do.我刚刚创建了一个 Kafka 用户和 KafkaTopic 现在我完全不知道该怎么做。 This is my KafkaUSer yml code :这是我的 KafkaUSer yml 代码:
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
name: my-user
labels:
strimzi.io/cluster: my-cluster
spec:
authentication:
type: tls
authorization:
type: simple
acls:
# Example consumer Acls for topic my-topic using consumer group my-group
- resource:
type: topic
name: my-topic
patternType: literal
operation: Read
host: "*"
- resource:
type: topic
name: my-topic
patternType: literal
operation: Describe
host: "*"
- resource:
type: group
name: my-group
patternType: literal
operation: Read
host: "*"
# Example Producer Acls for topic my-topic
- resource:
type: topic
name: my-topic
patternType: literal
operation: Write
host: "*"
- resource:
type: topic
name: my-topic
patternType: literal
operation: Create
host: "*"
- resource:
type: topic
name: my-topic
patternType: literal
operation: Describe
host: "*"
and this is my KafkaTopic yml file code :这是我的 KafkaTopic yml 文件代码:
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
name: my-topic
labels:
strimzi.io/cluster: my-cluster
spec:
partitions: 1
replicas: 1
config:
retention.ms: 7200000
segment.bytes: 1073741824
If you enabled the tls
authentication on the user I would expect that in your Kafka
custom resource you have authentication enabled as well.如果您对用户启用了tls
身份验证,我希望在您的Kafka
自定义资源中您也启用了身份验证。 When the KafkaUser
is created with this authentication type, a corresponding Secret is generated with user private key and certificate for the mutual TLS authentication with the broker.当使用此身份验证类型创建KafkaUser
,会使用用户私钥和证书生成相应的 Secret,以便与代理进行KafkaUser
TLS 身份验证。 You have to extract key and certificate from the Secret and configure your keystore in your client application (it depends on the language you are using. If it's Java you can just extract the keystore directly from the Secret in P12 format with corresponding password).您必须从 Secret 中提取密钥和证书,并在您的客户端应用程序中配置您的密钥库(这取决于您使用的语言。如果是 Java,您可以直接从带有相应密码的 P12 格式的 Secret 中提取密钥库)。 If it's Java you can refer on official Kafka doc for setting up keystore and truststore when extracted from the Secrets: https://kafka.apache.org/documentation/#security_configclients如果它是 Java,您可以参考官方 Kafka 文档,在从 Secrets 中提取时设置密钥库和信任库: https : //kafka.apache.org/documentation/#security_configclients
Having mutual TLS enabled authentication, it means that you also have to connect via TLS to the brokers (you have enabled it in the Kafka
resource) so you have to extract from the cluster CA Secret, the certificate and import it into your truststore.启用双向 TLS 身份验证,这意味着您还必须通过 TLS 连接到代理(您已在Kafka
资源中启用它),因此您必须从集群 CA Secret 中提取证书并将其导入您的信任库。 That point the client will be able to connect, to be authenticated and the ACLs you described will be applied.那时客户端将能够连接、进行身份验证并且您描述的 ACL 将被应用。
More info are on the official documentation:更多信息在官方文档中:
About user authentication https://strimzi.io/docs/operators/master/using.html#con-securing-client-authentication-str关于用户认证https://strimzi.io/docs/operators/master/using.html#con-securing-client-authentication-str
About clients running on Kubernetes connecting to the cluster https://strimzi.io/docs/operators/master/using.html#configuring-internal-clients-to-trust-cluster-ca-str关于在 Kubernetes 上运行的客户端连接到集群https://strimzi.io/docs/operators/master/using.html#configuring-internal-clients-to-trust-cluster-ca-str
About clients running outside Kubernetes connecting to the cluster https://strimzi.io/docs/operators/master/using.html#configuring-external-clients-to-trust-cluster-ca-str关于在 Kubernetes 之外运行的客户端连接到集群https://strimzi.io/docs/operators/master/using.html#configuring-external-clients-to-trust-cluster-ca-str
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.