密码文件而不是kafka ssl设置中的纯文本密码
[英]Password file instead plain text password in kafka ssl setup
问题描述
If a system generates password and keys per host and copies (there are approx 50 hosts with differnt passwords) them to specified location on each host
如果系统为每个主机生成密码和密钥并将它们复制(大约有 50 台具有不同密码的主机)到每个主机上的指定位置
i.e. on host host1
/a/b/c/xyj_host1.p12
/a/b/c/xyj_host1.p12.pwd
In server.properties file of kafka I want to specify file location instead plain password for kafka (reason: I deploy on those 50+ servers using Ansible and its security hole if I have to specify password at the time of deployment)在 kafka 的server.properties文件中,我想指定文件位置而不是 kafka 的普通密码(原因:如果我必须在部署时指定密码,我使用 Ansible 及其安全漏洞部署在这 50 多台服务器上)
ssl.truststore.location=/a/b/c/xyj_host1.p12
# instead of passoword I want to specify the file which contains password
ssl.truststore.password=/a/b/c/xyj_host1.p12.pwd
How can I make above happen?我怎样才能使上述发生?
1 个解决方案
解决方案1
0 2021-04-18 14:26:26
Kafka Connect can externalize secrets to files, but the brokers cannot Kafka Connect 可以将机密外部化到文件中,但代理不能
If you want to protect secrets in Ansible, then Ansible Vault seems to be the solution there, as far as the broker goes, restrict the file permissions to the server properties如果您想保护 Ansible 中的机密,那么 Ansible 保险库似乎是那里的解决方案,就经纪人而言,将文件权限限制为服务器属性
There are other solutions still that could combine Hashicorp Vault with a templated property file (consul-template), but you'd still have a plaintext Vault token floating around, so really depends on how much you want to obfuscate your security还有其他解决方案可以将 Hashicorp Vault 与模板属性文件 (consul-template) 结合起来,但您仍然会有一个纯文本 Vault 令牌浮动,因此实际上取决于您想要混淆安全性的程度
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.