用於代理間通信的Kafka SSL身份驗證問題
[英]Kafka SSL Authentication Issues for inter-broker communication
問題描述
我目前正在使用SSL身份驗證配置Apache Kafka,並在啟動服務時遇到錯誤。 看起來代理正常啟動(領導者選舉等似乎發生),但是一旦任何集群操作開始發生,我就會在日志中不斷得到以下錯誤。
[2019-05-16 11:04:00,351] INFO [Controller id=1, targetBrokerId=1] Failed authentication with XXXX/YYYY (SSL handshake failed) (org.apache.kafka.common.network.Selector)
[2019-05-16 11:04:00,351] DEBUG [Controller id=1, targetBrokerId=1] Node 1 disconnected. (org.apache.kafka.clients.NetworkClient)
[2019-05-16 11:04:00,351] DEBUG An authentication error occurred in broker-to-broker communication. (org.apache.kafka.clients.ManualMetadataUpdater)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2
嘗試重新創建密鑰和信任存儲,嘗試從內部代理偵聽器中刪除SSL(這會導致ANONYMOUS主體,我不想授予對任何資源的訪問權限)。
解釋我的配置:
- 使用SSL主體構建器運行Kafka 2.2
- 我有3個偵聽器設置 - 一個在公共接口上,兩個在私有接口上(一個用於代理間通信,一個用於內部消費者)
- 所有3個偵聽器都啟用了SSL
- 每個監聽器都綁定到它自己的密鑰和信任存儲(因為我需要能夠為內部地址提供不同的證書,以及能夠信任不同的簽名CA),並為每個密鑰/密鑰庫提供SSL密鑰密碼。
- 證書是使用本地生成的密鑰創建的,本地CSR生成,然后由在CFSSL多根上運行的CA簽名。
- 然后使用密鑰(相同密碼),簽名證書和導入的CA證書創建密鑰庫。
- 創建了Truststore,並在此處添加了證書頒發CA.
#Kafka Server Properties Configuration
#Broker and listener configuration
broker.id=1
listeners=egress://address1:9093,inter://address1:9094,ingest://address2:9092
advertised.listeners=egress://address1:9093,inter://address1:9094,ingest://address2:9092
listener.security.protocol.map=egress:SSL,inter:SSL,ingest:SSL
inter.broker.listener.name=inter
##
#Listener Trust and Keystore Configurations
#egress configuration
listener.name.egress.ssl.keystore.type=JKS
listener.name.egress.ssl.keystore.location=/data/kafka/pki/egress-keystore.jks
listener.name.egress.ssl.keystore.password=<redacted>
listener.name.egress.ssl.truststore.type=JKS
listener.name.egress.ssl.truststore.location=/data/kafka/pki/egress-truststore.jks
listener.name.egress.ssl.truststore.password=<redacted>
listener.name.egress.ssl.key.password=<redacted>
listener.name.egress.ssl.client.auth=required
listener.name.egress.ssl.principal.mapping.rules=RULE:^.*[Oo][Uu]=([a-zA-Z0-9.-]*).*$/$1/L,DEFAULT
##
#inter configuration
listener.name.inter.ssl.keystore.type=JKS
listener.name.inter.ssl.keystore.location=/data/kafka/pki/inter-keystore.jks
listener.name.inter.ssl.keystore.password=<redacted>
listener.name.inter.ssl.truststore.type=JKS
listener.name.inter.ssl.truststore.location=/data/kafka/pki/inter-truststore.jks
listener.name.inter.ssl.truststore.password=<redacted>
listener.name.inter.ssl.key.password=<redacted>
listener.name.inter.ssl.client.auth=requested
listener.name.inter.ssl.principal.mapping.rules=RULE:^.*[Oo][Uu]=([a-zA-Z0-9.-]*).*$/$1/L,DEFAULT
##
#ingest configuration
listener.name.ingest.ssl.keystore.type=JKS
listener.name.ingest.ssl.keystore.location=/data/kafka/pki/ingest-keystore.jks
listener.name.ingest.ssl.keystore.password=<redacted>
listener.name.ingest.ssl.truststore.type=JKS
listener.name.ingest.ssl.truststore.location=/data/kafka/pki/ingest-truststore.jks
listener.name.ingest.ssl.truststore.password=<redacted>
listener.name.ingest.ssl.key.password=<redacted>
listener.name.ingest.ssl.client.auth=required
listener.name.ingest.ssl.principal.mapping.rules=RULE:^.*[Oo][Uu]=([a-zA-Z0-9.-]*).*$/$1/L,DEFAULT
##
#Generic SSL Configuration
ssl.keystore.type=JKS
ssl.keystore.location=/data/kafka/pki/inter-keystore.jks
ssl.keystore.password=<redacted>
ssl.truststore.type=JKS
ssl.truststore.location=/data/kafka/pki/inter-truststore.jks
ssl.truststore.password=<redacted>
ssl.key.password=<redacted>
ssl.client.auth=requested
ssl.principal.mapping.rules=RULE:^.*[Oo][Uu]=([a-zA-Z0-9.-]*).*$/$1/L,DEFAULT
ssl.enabled.protocols=TLSv1.2
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=false
super.users=User:<redacted>
##
#General configuration
auto.create.topics.enable=False
delete.topic.enable=True
log.dir=/var/log/kafka
log.retention.hours=24
log.cleaner.enable=True
log.cleanup.policy=delete
log.retention.check.interval.ms=3600000
min.insync.replicas=2
replication.factor=3
default.replication.factor=3
num.partitions=50
offsets.topic.num.partitions=50
offsets.topic.replication.factor=3
transaction.state.log.min.isr=2
transaction.state.log.num.partitions=50
num.replica.fetchers=4
auto.leader.rebalance.enable=True
leader.imbalance.check.interval.seconds=60
transactional.id.expiration.ms=10000
unclean.leader.election.enable=False
zookeeper.connect=zookeeper:2180
zookeeper.session.timeout.ms=100
controlled.shutdown.enable=True
broker.rack=rack1
1 個解決方案
解決方案1
0 2019-07-02 22:16:08
您是否按照描述的順序將證書插入密鑰庫? 首先設置ca,然后是ca簽名的證書以正確獲得信任鏈可能很重要。
無法使用 SSL 在 Kafka 中找出 inter.broker.listener.name 的設置
[英]Can't figure out setting for inter.broker.listener.name in Kafka with SSL
使用 SSL 啟動 Kafka Broker 給出 SSLHandShakeError
[英]Starting Kafka Broker with SSL give SSLHandShakeError
如何確定在 kafka 代理的偵聽器端口上是否強制使用 SSL/TLS?
[英]How to find out if SSL/TLS is mandatory on a listener port of kafka broker?
Kafka Broker SSL - NoAuth 異常 - KeeperErrorCode NoAuth for /brokers/ids
[英]Kafka Broker SSL - NoAuth Exception - KeeperErrorCode NoAuth for /brokers/ids
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Kafka內部代理SSL握手失敗
無法使用 SSL 在 Kafka 中找出 inter.broker.listener.name 的設置
SSL的單節點間通信
kafka 2路ssl認證
使用 SSL 啟動 Kafka Broker 給出 SSLHandShakeError
在Apache spark和Kafka代理之間啟用SSL
為Kafka設置SSL是否會影響Zookeeper通信
Kafka /為什么應該為每個經紀人生成ssl密鑰?
如何確定在 kafka 代理的偵聽器端口上是否強制使用 SSL/TLS?
Kafka Broker SSL - NoAuth 異常 - KeeperErrorCode NoAuth for /brokers/ids
相關標簽