Kafka SASL zookeeper 身份验证
Posted
技术标签:
【中文标题】Kafka SASL zookeeper 身份验证【英文标题】:Kafka SASL zookeeper authentication 【发布时间】:2017-09-14 03:53:34 【问题描述】:我在 Zookeeper 和代理身份验证上启用 SASL 时遇到以下错误。
[2017-04-18 15:54:10,476] DEBUG Size of client SASL token: 0
(org.apache.zookeeper.server.ZooKeeperServer)
[2017-04-18 15:54:10,476] ERROR cnxn.saslServer is null: cnxn object did not initialize its saslServer properly. (org.apache.zookeeper.server. ZooKeeperServer)
[2017-04-18 15:54:10,478] ERROR SASL authentication failed using login context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2017-04-18 15:54:10,478] DEBUG Received event: WatchedEvent state:AuthFailed type:None path:null (org.I0Itec.zkclient.ZkClient)
[2017-04-18 15:54:10,478] INFO zookeeper state changed (AuthFailed) (org.I0Itec.zkclient.ZkClient)
[2017-04-18 15:54:10,478] DEBUG Leaving process event (org.I0Itec.zkclient.ZkClient)
[2017-04-18 15:54:10,478] DEBUG Closing ZkClient... (org.I0Itec.zkclient.ZkClient)
[2017-04-18 15:54:10,478] INFO Terminate ZkClient event thread. (org.I0Itec.zkclient.ZkEventThread)
[2017-04-18 15:54:10,478] DEBUG Closing ZooKeeper connected to localhost:2181 (org.I0Itec.zkclient.ZkConnection)
[2017-04-18 15:54:10,478] DEBUG Close called on already closed client (org.apache.zookeeper.ZooKeeper)
[2017-04-18 15:54:10,478] DEBUG Closing ZkClient...done (org.I0Itec.zkclient.ZkClient)
[2017-04-18 15:54:10,480] FATAL Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:947)
at org.I0Itec.zkclient.ZkClient.waitUntilConnected(ZkClient.java:924)
at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1231)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:157)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:131)
at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:79)
at kafka.utils.ZkUtils$.apply(ZkUtils.scala:61)
at kafka.server.KafkaServer.initZk(KafkaServer.scala:329)
at kafka.server.KafkaServer.startup(KafkaServer.scala:187)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:39)
at kafka.Kafka$.main(Kafka.scala:67)
at kafka.Kafka.main(Kafka.scala)
[2017-04-18 15:54:10,482] INFO shutting down (kafka.server.KafkaServer)
以下配置在JAAS文件中给出,作为KAFKA_OPTS传递给JVM参数:-
KafkaServer
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret";
;
Client
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
;
kafka 代理的 server.properties 设置了以下额外字段:-
zookeeper.set.acl=true
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
ssl.client.auth=required
ssl.endpoint.identification.algorithm=HTTPS
ssl.keystore.location=path
ssl.keystore.password=anything
ssl.key.password=anything
ssl.truststore.location=path
ssl.truststore.password=anything
Zookeeper 属性如下:
authProvider.1=org.apache.zookeeper.server.auth.DigestAuthenticationProvider
jaasLoginRenew=3600000
requireClientAuthScheme=sasl
【问题讨论】:
好吧,我猜你不使用 SSL? 是的,我不想在 zookeeper 和 broker 之间使用 ssl。但是为kafka客户端通信设置了ssl。 @M.Situation 我已经添加了 ssl 配置,我用于 kafka 客户端和 kafka 代理 好的。让我看看 @M.Situation 任何想法,如果我缺少一些配置。我的主要目标是保护 zookeeper 和 kafka 代理通信,以及保护 zookeeper 客户端到 zookeeper 服务器身份验证 【参考方案1】:我通过将日志级别提高到 DEBUG 来发现问题。基本上遵循以下步骤。我不使用 SSL,但您可以毫无问题地集成它。
以下是我的配置文件:
server.properties
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
auto.create.topics.enable=false
broker.id=0
listeners=SASL_PLAINTEXT://localhost:9092
advertised.listeners=SASL_PLAINTEXT://localhost:9092
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
advertised.host.name=localhost
num.partitions=1
num.recovery.threads.per.data.dir=1
log.flush.interval.messages=30000000
log.flush.interval.ms=1800000
log.retention.minutes=30
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
delete.topic.enable=true
zookeeper.connect=localhost:2181
zookeeper.connection.timeout.ms=6000
super.users=User:admin
zookeeper.properties
dataDir=/tmp/zookeeper
clientPort=2181
maxClientCnxns=0
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
producer.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
bootstrap.servers=localhost:9092
compression.type=none
consumer.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
zookeeper.connect=localhost:2181
zookeeper.connection.timeout.ms=6000
group.id=test-consumer-group
现在是使您的服务器正常启动的最重要文件:
zookeeper_jaas.conf
Server
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret";
;
kafka_server_jaas.conf
KafkaServer
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret";
;
Client
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
;
完成所有这些配置后,在第一个终端窗口上:
终端 1(启动 Zookeeper 服务器)
来自kafka根目录
$ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/usename/Documents/kafka_2.11-0.10.1.0/config/zookeeper_jaas.conf"
$ bin/zookeeper-server-start.sh config/zookeeper.properties
终端 2(启动 Kafka 服务器)
来自kafka根目录
$ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/usename/Documents/kafka_2.11-0.10.1.0/config/kafka_server_jaas.conf"
$ bin/kafka-server-start.sh config/server.properties
[开始更新]
kafka_client_jaas.conf
KafkaClient
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
;
3 号航站楼(启动 Kafka 消费者)
在客户端上,导出客户端 jaas conf 文件并启动消费者:
$ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/username/Documents/kafka_2.11-0.10.1.0/kafka_client_jaas.conf"
$ ./bin/kafka-console-consumer.sh --new-consumer --zookeeper localhost:2181 --topic test-topic --from-beginning --consumer.config=config/consumer.properties --bootstrap-server=localhost:9092
4 号航站楼(启动 Kafka 生产者)
如果您还想制作,请在另一个终端窗口上执行此操作:
$ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/username/Documents/kafka_2.11-0.10.1.0/kafka_client_jaas.conf"
$ ./bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test-topic --producer.config=config/producer.properties
[结束更新]
【讨论】:
是的!它工作得很好。非常感谢您的帮助,自过去 2 天以来我一直在苦苦挣扎 只是想知道失败的真正原因。 Zookeeper 是否需要 Server 配置? 没错。这是丢失的部分 您的 zookeeper_jaas.conf 文件中有错字。 user_admin="admin-secret"; 末尾缺少分号; 我认为它需要一些更新,我已经尝试过这个并且我遇到了错误,因为 zookeeper 不支持 - PlainLoginModule,它使用 DigestLoginModule。因此更改将在 zookeeper_jaas.conf 和客户端部分的 kafka_server_jaas.conf /跨度> 【参考方案2】:你需要为 Zookeeper 创建一个 JAAS 配置文件并让它使用它。
为 Zookeeper 创建一个文件 JAAS 配置文件,内容如下:
Server
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="admin-secret";
;
其中用户 (admin) 和密码 (admin-secret) 必须与您在 Kafka JAAS 配置文件的客户端部分中的用户名和密码匹配。
要让 Zookeeper 使用 JAAS 配置文件,请将以下 JVM 标志传递给 Zookeeper,指向之前创建的文件。
-Djava.security.auth.login.config=/path/to/server/jaas/file.conf"
如果你使用的是 Kafka 包中包含的 Zookeeper,你可以像这样启动 Zookeeper,假设你的 Zookeeper JAAS 配置文件位于 ./config/zookeeper_jaas.conf 中
EXTRA_ARGS=-Djava.security.auth.login.config=./config/zookeeper_jaas.conf ./bin/zookeeper-server-start.sh ./config/zookeeper.properties
【讨论】:
截至 2019 年 11 月,这是最新、最简洁的答案!以上是关于Kafka SASL zookeeper 身份验证的主要内容,如果未能解决你的问题,请参考以下文章