[英]Select proper KafkaUser authentication type?
Maybe I miss something, if so forgive my ignorance.也许我错过了什么,如果是这样,请原谅我的无知。
Here what we have:这里我们有:
If I decide to avoid using SSL certificate, because of 2 reasons:如果我决定避免使用 SSL 证书,原因有两个:
Would be the SCRAM-SHA-512 authentication type for KafkaUser a better (and the only?) choice for the two reasons above?由于上述两个原因,KafkaUser 的 SCRAM-SHA-512 身份验证类型会是更好的(也是唯一的?)选择吗? Or SCRAM-SHA-512 also requires SSL certificates?
还是 SCRAM-SHA-512 也需要 SSL 证书?
Another approach I saw was no authentication, but I am not sure how can ACL be used for such users?我看到的另一种方法是不进行身份验证,但我不确定 ACL 如何用于此类用户? How I pass to server information which user is connecting.
我如何将用户正在连接的服务器信息传递给服务器。 Is it possible to use both ACL and not authenticated by SSL certificate or by password Kafka user?
是否可以同时使用 ACL 而不是通过 SSL 证书或密码 Kafka 用户进行身份验证?
[UPD] Environment is built on Strimzi (Apache Kafka cluster in OpenShift) [UPD]环境建立在 Strimzi(OpenShift 中的 Apache Kafka 集群)之上
Using SCRAM-SHA-512 does not require TLS.使用 SCRAM-SHA-512 不需要 TLS。 So you can just disable the TLS encryption in the
Kafka
custom resource ( .spec.kafka.listeners
-> set tls: false
), enable he SCRAM-SHA-512 authentication (same place, in the authentication
section).因此,您可以在
Kafka
自定义资源( .spec.kafka.listeners
-> set tls: false
)中禁用 TLS 加密,启用他的 SCRAM-SHA-512 身份验证(在同一位置,在authentication
部分中)。 And then you just use the KafkaUser
to create the user and get the password.然后您只需使用
KafkaUser
创建用户并获取密码。
In general, TLS encryption is normally always recommended.一般来说,通常总是推荐使用 TLS 加密。 But the SCRAM-SHA mechanisms do not send the password over the network directly, so using it without encryption should not leak the password.
但 SCRAM-SHA 机制不会直接通过网络发送密码,因此在不加密的情况下使用它不会泄露密码。 At the end, it is up to you to decide.
最后,由您决定。
Also, just as a sidenote - the certificates are for 1 year by default.此外,作为旁注 - 默认情况下,证书有效期为 1 年。 You can change it in the
Kafka
CR.您可以在
Kafka
CR 中更改它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.