基于ambari hdp的kafka用户授权读写权限
版本Kafka 2.0.0
添加自定义配置
bash
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
super.users = User:admin
allow.everyone.if.no.acl.found = true
allow.everyone.if.no.acl.found
此处只说实践中的结论
测试中针对消费者组起到了作用,
false必须严格按照授权的用户组进行消费
true则不需要指定消费者组
如果没有添加参数,组消费模式报错
org.apache.kafka.common.errors.GroupAuthorizationException: Group authorization failed.
解决:
allow.everyone.if.no.acl.found=true
修改admin密码
实践测试中admin,属于super用户,可以绕过权限认证,只要密码正确,可读可写
安全起见,还是修改下密码,密码上下两个位置一样才可以
重启kafka
授权读取
我的配置是没有添加这个配置:allow.everyone.if.no.acl.found
给saa用户授权A1 topic 的读取权限(这里不知道为啥通配符* 没有起作用)
bash
./kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --add --allow-principal User:sunway --operation Read --topic A1
--add 改成 --remove是移除权限
bash
./kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --remove --allow-principal User:sunway --operation Read --topic A1
授权写入
bash
kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --add --allow-principal User:sun --operation Write --topic A1
--add 改成 --remove是移除权限
同时有读写赋权
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --add --allow-principal User:my_read_write --operation Read --group test-py-3 --topic TSET-2024042401 --operation Write --topic TSET-2024042401
** 赋予写权限**
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --add --allow-principal User:my_only_write --operation Write --topic TSET-2024042401
** 赋予读权限**
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --add --allow-principal User:sunway --operation Read --group ioi --topic kafka_vip_info
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --list
有效通配符
bash
## 无效命令
./kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --add --allow-principal User:sunway --operation Read --topic *
## 有效命令
./kafka-acls.sh --authorizer-properties zookeeper.connect=test-master1:2181 --add --allow-principal User:sunway --operation Read --topic '*'
## 通配符* 需要加上单引号
部分举例
bash
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z1 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z2 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z3 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z4 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z5 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z6 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:c1 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z8 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z9 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z10 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z11 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:w1 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z12 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z13 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:z14 --operation Write --topic '*'
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=myhostname:2181 --add --allow-principal User:s1 --operation Read --topic '*'