[英]Kafka Security implementation issue SASL SSL and SCRAM
我在启动 kafka 服务器时遇到错误,已经设置了 SSL 并且它对 kafka 3 代理工作正常。 而且zookeeper也设置了SSL
现在尝试从服务器属性文件为 kafka 代理设置带有 SASL_SSL 的 SCRAM。
它不起作用我使用以下命令创建了一个用户
kafka-configs.sh --zookeeper localhost:2182 --zk-tls-config-file zookeeper-client.properties --entity-type users --entity-name broker-admin --alter --add-config 'SCRAM-SHA-512=[password=DEM123]'
我可以看到用户已创建。
但是在尝试运行命令以运行 kafka 代理时
kafka-server-start.sh -daemon server-0.properties
我检查了 server.log 文件时出现了一些错误
[2021-10-05 16:21:38,369] ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/users/broker-admin
有人可以支持我吗?
让我分享我的 zookeeper.properpties 文件
dataDir=/var/www/kafka/data/zookeeper
clientPort=2181
secureClientPort=2182
authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.trustStore.location=/var/www/kafka/ssl/kafka.zookeeper.truststore.jks
ssl.trustStore.password=zookeepbook
ssl.keyStore.location=/var/www/kafka/ssl/kafka.zookeeper.keystore.jks
ssl.keyStore.password=zookeepbook
ssl.clientAuth=need
maxClientCnxns=0
admin.enableServer=true
admin.serverPort=9090
server.1=localhost:2888:3888
server.properties 文件内容:
broker.id=0
listeners=SASL_SSL://localhost:9092
advertised.listeners=SASL_SSL://localhost:9092
zookeeper.connect=localhost:2182
log.dirs=/var/www/kafka/data/broker-0
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
num.partitions=3
num.recovery.threads.per.data.dir=1
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
log.retention.hours=168
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connection.timeout.ms=18000
group.initial.rebalance.delay.ms=0
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.protocol=TLSv1.2
zookeeper.ssl.truststore.location=/var/www/kafka/ssl/kafka.broker-0.truststore.jks
zookeeper.ssl.truststore.password=zookeepbookbrk0
zookeeper.ssl.keystore.location=/var/www/kafka/ssl/kafka.broker-0.keystore.jks
zookeeper.ssl.keystore.password=zookeepbookbrk0
zookeeper.set.acl=true
ssl.truststore.location=/var/www/kafka/ssl/kafka.broker-0.truststore.jks
ssl.truststore.password=zookeepbookbrk0
ssl.keystore.location=/var/www/kafka/ssl/kafka.broker-0.keystore.jks
ssl.keystore.password=zookeepbookbrk0
ssl.key.password=zookeepbookbrk0
security.inter.broker.protocol=SASL_SSL
ssl.client.auth=none
ssl.protocol=TLSv1.2
sasl.enabled.mechanisms=SCRAM-SHA-512
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
listener.name.sasl_ssl.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username='broker-admin' password=DEM123;
super.users=User:broker-admin
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
您可以尝试将 'skipACL=yes' 设置为您的 zookeeper.properties 吗? 如果您在创建“broker-admin”用户时使用 SSL 客户端证书对 Zookeeper 进行了身份验证,我认为这是因为从您执行命令的位置以外的访问被拒绝。
带有 SSL 选项的 Kafka SASL/Plain 和带有 SSL 的 Kafka SASL/Scram
[英]Kafka SASL/Plain with SSL options and Kafka SASL/Scram with SSL
使用 SASL_SSL / PLAIN 连接时出现 Kafka AdminClient 错误
[英]Kafka AdminClient error when connecting using SASL_SSL / PLAIN
使用 SASL_SSL 创建 Kafka 源时出错:没有这样的文件
[英]Error during creation of Kafka Source with SASL_SSL: No such File
如何使用 SASL_SSL 和 GSSAPI 协议配置 Kafka 服务器
[英]How to configure Kafka server with SASL_SSL and GSSAPI protocols
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.