kafka开启kerberos

蘑菇丁2024-08-17 9:23

一、基本环境准备

  1. 创建票据创建Kerberos主体(Principal):

使用kadmin.local或kadmin命令为Zookeeper和Kafka服务创建Kerberos主体。例如:

注意有几台机器创建几个

kadmin.local -q "addprinc -randkey zookeeper/[email protected]"

kadmin.local -q "addprinc -randkey zookeeper/[email protected]"

kadmin.local -q "addprinc -randkey zookeeper/[email protected]"

kadmin.local -q "addprinc -randkey kafka/[email protected]"

kadmin.local -q "addprinc -randkey kafka/[email protected]"

kadmin.local -q "addprinc -randkey kafka/[email protected]"

  1. 验证主体是否创建成功

kadmin.local -q "listprincs"

root@dshieldcdh02 \~\]# kadmin.local -q "listprincs" Authenticating as principal root/[email protected] with password. K/[email protected] host/[email protected] host/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] kafka/[email protected] kafka/[email protected] kafka/[email protected] kiprop/[email protected] krbtgt/[email protected] root/[email protected] zookeeper/[email protected] zookeeper/[email protected] [zookeeper/[email protected]](mailto:zookeeper/[email protected]) 1. 创建keytab mkdir /etc/security/keytabs/ kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab [kafka/[email protected]](mailto:kafka/[email protected])" kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab [kafka/[email protected]](mailto:kafka/[email protected])" kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab [kafka/[email protected]](mailto:kafka/[email protected])" 1. 验证KeyTab文件内容: klist -kt /etc/security/keytabs/zookeeper.keytab klist -kt /etc/security/keytabs/kafka.keytab kinit -kt /etc/security/keytabs/zookeeper.keytab [zookeeper/[email protected]](mailto:zookeeper/[email protected]) 1. 将keytab文件拷贝到其他两天zookeeper上,需要将keytab文件拷贝过去才可以使用 scp /etc/security/keytabs/\*keytab root@dshieldcdh01:/etc/security/keytabs/ scp /etc/security/keytabs/\*keytab root@dshieldcdh03:/etc/security/keytabs/ 1. 在其他机器上验证keytab文件可用 kinit -kt /etc/security/keytabs/zookeeper.keytab [zookeeper/[email protected]](mailto:zookeeper/[email protected]) 二、Zookeeper配置Kerberos 1. 配置Zookeeper的JAAS文件: 在Zookeeper的配置目录下创建JAAS配置文件(如zookeeper_jaas.conf),内容如下: java Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/zookeeper.keytab" principal="zookeeper/[email protected]" useTicketCache=false; }; Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/zookeeper.keytab" principal="zookeeper/[email protected]" useTicketCache=false; }; 注意修改principal和keyTab路径以匹配实际环境。 在Zookeeper的启动脚本中添加JVM参数,指定JAAS配置文件的路径。 配置zookeeper的kerberos验证,切换到配置文件目录下cd conf,添加zoo.cfg配置文件,cp zoo_sample.cfg zoo.cfg打开zoo.cfg配置文件,添加配置,修改Zookeeper的配置文件cat zoo.cfg 启用SASL认证,并指定认证提供者。 authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true export JVMFLAGS="-Djava.security.auth.login.config= /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf" scp /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf root@dshieldcdh02:/usr/local/apache-zookeeper-3.6.4/conf scp /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf [root@dshieldcdh03:/usr/local/apache-zookeeper-3.6.4/conf](mailto:root@dshieldcdh03:/usr/local/apache-zookeeper-3.6.4/conf) \[root@dshieldcdh03 \~\]# cat /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/zookeeper.keytab" principal="zookeeper/[email protected]"; }; cat /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_client_jaas.conf Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/usr/local/apacje-zookeeper-3.6.4/conf/zk.service.keytab" principal="zookeeper/[email protected]"; }; 三、Kafka配置Kerberos 将kafka用户的keytab文件拷贝到其他服务器上 scp /etc/security/keytabs/kafka.keytab root@ dshieldcdh02:/etc/security/keytabs/kafka.keytab 配置Kafka的JAAS文件: 在Kafka的配置目录下创建JAAS配置文件(如kafka_client_jaas.conf),内容如下: kafka_client_jaas.conf KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/kafka.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="kafka/[email protected]"; }; KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/kafka.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="kafka/[email protected]"; }; Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/zookeeper.keytab" storeKey=true useTicketCache=false serviceName="zookeeper" principal=" zookeeper/[email protected]"; }; com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required renewTGT=false doNotPrompt=true useKeyTab=true keyTab="/etc/security/keytabs/kafka.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="kafka/[email protected]"; }; kafka_server_jaas.conf KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/kafka.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="kafka/[email protected]"; }; KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/kafka.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="kafka/[email protected]"; }; Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/zookeeper.keytab" storeKey=true useTicketCache=false serviceName="zookeeper" principal=" zookeeper/[email protected]"; }; com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required renewTGT=false doNotPrompt=true useKeyTab=true keyTab="/etc/security/keytabs/kafka.keytab" storeKey=true useTicketCache=false serviceName="kafka" principal="kafka/[email protected]"; }; 注意修改principal、keyTab路径和serviceName以匹配实际环境。 修改Kafka的启动脚本: 在Kafka的启动脚本中添加JVM参数,指定JAAS配置文件的路径。 cat kafka_client_jaas.conf kafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true serviceName=kafka keyTab="/etc/security/keytabs/kafka.keytab" principal="kafka/[email protected]"; }; cat server.properties broker.id=1 hostname=dshieldcdh01 listerners=SASL_PLAINTEXT://dshieldcdh01:9092 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=GSSAPI sasl.enabled.mechanisms= GSSAPI sasl.kerberos.service.name=kaka zookeeper.connect=dshieldcdh01:2181, dshieldcdh02:2181, dshieldcdh03:2181 zookeeper.set.acl=true zookeeper.connection.timeout.ms=18000 \[kafka@dshieldcdh01 config\]$ pwd /usr/local/kafka/config \[kafka@dshieldcdh01 config\]$ scp kafka_jaas.conf dshieldcdh02:/usr/local/kafka/config scp kafka_jaas.conf dshieldcdh03:/usr/local/kafka/config #kerberos listeners=SASL_PLAINTEXT://ambarim2:9092 advertised.listeners=SASL_PLAINTEXT://ambarim2:9092 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=GSSAPI principal.to.local.class=kafka.security.auth.KerberosPrincipalToLocal isasl.enabled.mechanisms=GSSAPI zookeeper.connect=dshieldcdh01:2181,dshieldcdh02:2181,dshieldcdh03:2181

相关推荐
SKYDROID云卓小助手1 小时前
三轴云台之相机技术篇
运维·服务器·网络·数码相机·音视频
东方佑2 小时前
自动调整PPT文本框内容:防止溢出并智能截断文本
linux·运维·powerpoint
泥土编程3 小时前
kubekey -实现懒人一键部署K8S集群
linux·运维
wirepuller_king6 小时前
创建Linux虚拟环境并远程连接,finalshell自定义壁纸
linux·运维·服务器
在野靡生.7 小时前
Ansible(1)—— Ansible 概述
linux·运维·ansible
风123456789~7 小时前
【Linux运维】查询指定日期的上月
linux·运维·服务器
zyk_5207 小时前
Docker desktop如何汉化
运维·docker·容器
韭菜盖饭7 小时前
解决Docker端口映射后外网无法访问的问题
运维·docker·容器
CC.cc.8 小时前
Linux系统之systemctl管理服务及编译安装配置文件安装实现systemctl管理服务
linux·运维·服务器
qq_339282239 小时前
docker之network
运维·docker·容器
热门推荐
01我决定放弃搞 Java 了02DeepSeek各版本说明与优缺点分析03如何在WPS和Word/Excel中直接使用DeepSeek功能04RAG 实践- Ollama+RagFlow 部署本地知识库05本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程06从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑07如何本地部署AI智能体平台,带你手搓一个AI Agent08苍穹外卖面试总结09DeepSeek RAGFlow构建本地知识库系统10【芯片封测学习专栏 -- D2D 和 C2C 之间的区别】