stackoom
  简体   繁体   中英

KAFKA SSL connectivity using pem key and client certificate

 原文  2020-10-27 02:51:48       python/ apache-spark/ ssl/ pyspark/ apache-kafka

Question

I am able to connect to kafka and read data from CLI (bin/kafka-console-consumer.sh) using below ssl details in client.properties

ssl.keystore.location=/test/keystore.jks
ssl.keystore.password=abcd1234
ssl.key.password=abcd1234

Command: bin/kafka-console-consumer.sh --bootstrap-server 'server details'  --topic topic_name --consumer.config client.properties --group group-id

But I am unable to connect from python or spark using the same data

consumer = KafkaConsumer(topic,bootstrap_servers=bootstrap_server,security_protocol='SSL',sasl_mechanism='PLAIN',ssl_certfile='certificate.pem',ssl_keyfile='pk.key')

I tried changing multiple options in the above code, like adding check_host_name etc, but no luck. The kafka is not owned by our teams, it a different team who manages it and when we request access we get a private key and certificate along with CA bundle and ARN name.

From Spark(Python), I tried below code

sdf1 = spark.readStream.format("kafka")
       .option("kafka.bootstrap.servers",bootstrap_server)
       .option("subscribe", topic_name)
       .option("startingOffsets", "latest")
       .option("kafka.security.protocol","SSL")
       .option("kafka.ssl.keystore.location",'keystore.jks')
       .option("kafka.ssl.keystore.password", '****')
       .option("kafka.ssl.key.password",'****')
       .load()

I am getting error like "org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: spark-kafka-source-xxxxxxx-xxxxx-xxxxx"

The above error would be related to spark generating unique group id everytime it is accesseing. Usage of group-id in spark dataframe is allowed only in spark 3.0 and above. I need option to fix this in spark 2.4.4.

Any suggestions would be appreciated.

1 answers

solution1
 0  2020-10-27 07:58:08

You just need to give the principal you are using to authenticate access to the topic regardless of the consumer group. It would look like this:

kafka-acls --authorizer-properties zookeeper.connect=zk_ip_or_fqdn:2181  --add  --allow-principal User:"userName" --operation All --topic yourTopicName --group=*

userName (principal name) in your case will be the subject name of your SSL certificate, in the form of "CN=toto,OU=titi,...".

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSL Connection Using .pem Certificate With Python Opening a SSL socket using a pem certificate How to generate pem key and certificate with password using pyopenssl? KAFKA Python SSL Certificate Python Requests using PFX certificate wont work ! - OpenSSL.SSL.Error: [('PEM routines'] - PFX to PEM conversion necessary? HTTPS connection using PEM Certificate Calling a REST api with an encrypted PEM client certificate How to calculate the HMAC(hsa256) of a text using a public certificate (.pem) as key Python - SSL Client/Server Certificate Python3 - imaplib - decrypt using pem certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM