serviceName在kafka的jaas.conf配置中的含义

Posted 数客联盟

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了serviceName在kafka的jaas.conf配置中的含义相关的知识,希望对你有一定的参考价值。

本文使用的是HDP-2.6.0.3版本,在kafka_jaas.conf配置文件中有个配置项叫做serviceName,在使用storm 访问 kerberos kafka中的方法进行测试的时候发现,如果没有配置serviceName会报错No serviceName defined in either JAAS or Kafka config的错误,本文将会分析serviceName究竟是什么。

Kaffka 0.10.0源码分析

通过上面的报错可以定位到是org.apache.kafka.common.security.kerberos.KerberosLogin中到getServiceName方法返回到错误信息

private String getServiceName(Map<String, ?> configs, String loginContext) {
   String jaasServiceName;
   try {
       jaasServiceName = JaasUtils.jaasConfig(loginContext, JaasUtils.SERVICE_NAME);
   } catch (IOException e) {
       throw new KafkaException("Jaas configuration not found", e);
   }
   String configServiceName = (String) configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
   if (jaasServiceName != null && configServiceName != null && !jaasServiceName.equals(configServiceName)) {
       String message = "Conflicting serviceName values found in JAAS and Kafka configs " +
           "value in JAAS file " + jaasServiceName + ", value in Kafka config " + configServiceName;
       throw new IllegalArgumentException(message);
   }

   if (jaasServiceName != null)
       return jaasServiceName;
   if (configServiceName != null)
       return configServiceName;

   throw new IllegalArgumentException("No serviceName defined in either JAAS or Kafka config");
}

这段代码中,如果jaas文件中没有配置serviceName就会返回sasl.kerberos.service.name的参数值,而这个参数的含义

The Kerberos principal name that Kafka runs as. This can be defined either in Kafka's JAAS config or in Kafka's config.

下面是关于Kerberos principal的定义

A Kerberos principal is a unique identity to which Kerberos can assign tickets. Principals can have an arbitrary number of components. Each component is separated by a component separator, generally '/'. The last component is the realm, separated from the rest of the principal by the realm separator, generally '@'. If there is no realm component in the principal, then it will be assumed that the principal is in the default realm for the context in which it is being used.Traditionally, a principal is divided into three parts: the primary, the instance, and the realm. The format of a typical Kerberos V5 principal is primary/instance@REALM.The primary is the first part of the principal. In the case of a user, it's the same as your username. For a host, the primary is the word host.The instance is an optional string that qualifies the primary. The instance is separated from the primary by a slash (/). In the case of a user, the instance is usually null, but a user might also have an additional principal, with an instance called admin, which he/she uses to administrate a database. The principal jennifer@ATHENA.MIT.EDUis completely separate from the principal jennifer/admin@ATHENA.MIT.EDU, with a separate password, and separate permissions. In the case of a host, the instance is the fully qualified hostname, e.g., daffodil.mit.edu.The realm is your Kerberos realm. In most cases, your Kerberos realm is your domain name, in upper-case letters. For example, the machine daffodil.example.com would be in the realm EXAMPLE.COM.

所以结合上面的描述,准确的对serviceName的定义应该是kafka principal的primary的值。

在代码中serviceName是在org.apache.kafka.common.network.SaslChannelBuilderbuildChannel中使用的

authenticator = new SaslClientAuthenticator(id, loginManager.subject(), loginManager.serviceName(),
                       socketChannel.socket().getInetAddress().getHostName(), clientSaslMechanism, handshakeRequestEnable);


以上是关于serviceName在kafka的jaas.conf配置中的含义的主要内容,如果未能解决你的问题,请参考以下文章

在计算机“。”上找不到服务 ServiceName

_servicename_ 中的下划线在 AngularJS 测试中是啥意思?

bootstrap配置Nacos出现Param ‘serviceName‘ is illegal, serviceName is blank

centos7 systemctl status servicename执行慢的问题

AngularJS)TypeError:serviceName.functionName()不是函数

JDBC中Oracle的SID和ServiceName两种方式的连接字符串格式