kafka开启kerberos

一、基本环境准备

  1. 创建票据创建Kerberos主体(Principal):

使用kadmin.local或kadmin命令为Zookeeper和Kafka服务创建Kerberos主体。例如:

注意有几台机器创建几个

kadmin.local -q "addprinc -randkey zookeeper/dshieldcdh01@HADOOP139.COM"

kadmin.local -q "addprinc -randkey zookeeper/dshieldcdh02@HADOOP139.COM"

kadmin.local -q "addprinc -randkey zookeeper/dshieldcdh03@HADOOP139.COM"

kadmin.local -q "addprinc -randkey kafka/dshieldcdh01@HADOOP139.COM"

kadmin.local -q "addprinc -randkey kafka/dshieldcdh02@HADOOP139.COM"

kadmin.local -q "addprinc -randkey kafka/dshieldcdh03@HADOOP139.COM"

  1. 验证主体是否创建成功

kadmin.local -q "listprincs"

[root@dshieldcdh02 ~]# kadmin.local -q "listprincs"

Authenticating as principal root/admin@HADOOP139.COM with password.

K/M@HADOOP139.COM

host/dshieldcdh01@HADOOP139.COM

host/dshieldcdh02@HADOOP139.COM

kadmin/admin@HADOOP139.COM

kadmin/changepw@HADOOP139.COM

kadmin/dshieldcdh02@HADOOP139.COM

kafka/dshieldcdh01@HADOOP139.COM

kafka/dshieldcdh02@HADOOP139.COM

kafka/dshieldcdh03@HADOOP139.COM

kiprop/dshieldcdh02@HADOOP139.COM

krbtgt/HADOOP139.COM@HADOOP139.COM

root/admin@HADOOP139.COM

zookeeper/dshieldcdh01@HADOOP139.COM

zookeeper/dshieldcdh02@HADOOP139.COM

zookeeper/dshieldcdh03@HADOOP139.COM

  1. 创建keytab

mkdir /etc/security/keytabs/

kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab kafka/dshieldcdh01@HADOOP139.COM"

kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab kafka/dshieldcdh02@HADOOP139.COM"

kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab kafka/dshieldcdh03@HADOOP139.COM"

  1. 验证KeyTab文件内容:

klist -kt /etc/security/keytabs/zookeeper.keytab

klist -kt /etc/security/keytabs/kafka.keytab

kinit -kt /etc/security/keytabs/zookeeper.keytab zookeeper/dshieldcdh02@HADOOP139.COM

  1. 将keytab文件拷贝到其他两天zookeeper上,需要将keytab文件拷贝过去才可以使用

scp /etc/security/keytabs/*keytab root@dshieldcdh01:/etc/security/keytabs/

scp /etc/security/keytabs/*keytab root@dshieldcdh03:/etc/security/keytabs/

  1. 在其他机器上验证keytab文件可用

kinit -kt /etc/security/keytabs/zookeeper.keytab zookeeper/dshieldcdh01@HADOOP139.COM

二、Zookeeper配置Kerberos

  1. 配置Zookeeper的JAAS文件:

在Zookeeper的配置目录下创建JAAS配置文件(如zookeeper_jaas.conf),内容如下:

java
Server {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

storeKey=true

keyTab="/etc/security/keytabs/zookeeper.keytab"

principal="zookeeper/dshieldcdh01@HADOOP139.COM"

useTicketCache=false;

};

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

storeKey=true

keyTab="/etc/security/keytabs/zookeeper.keytab"

principal="zookeeper/dshieldcdh01@HADOOP139.COM"

useTicketCache=false;

};

注意修改principal和keyTab路径以匹配实际环境。

在Zookeeper的启动脚本中添加JVM参数,指定JAAS配置文件的路径。

配置zookeeper的kerberos验证,切换到配置文件目录下cd conf,添加zoo.cfg配置文件,cp zoo_sample.cfg zoo.cfg打开zoo.cfg配置文件,添加配置,修改Zookeeper的配置文件cat zoo.cfg 启用SASL认证,并指定认证提供者。
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

jaasLoginRenew=3600000

kerberos.removeHostFromPrincipal=true

kerberos.removeRealmFromPrincipal=true

export JVMFLAGS="-Djava.security.auth.login.config= /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf"

scp /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf root@dshieldcdh02:/usr/local/apache-zookeeper-3.6.4/conf

scp /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf root@dshieldcdh03:/usr/local/apache-zookeeper-3.6.4/conf

[root@dshieldcdh03 ~]# cat /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf
Server {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

storeKey=true

useTicketCache=false

keyTab="/etc/security/keytabs/zookeeper.keytab"

principal="zookeeper/dshieldcdh03@HADOOP139.COM";

};

cat /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_client_jaas.conf

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

storeKey=true

useTicketCache=false

keyTab="/usr/local/apacje-zookeeper-3.6.4/conf/zk.service.keytab"

principal="zookeeper/dshieldcdh03@HADOOP139.COM";

};

三、Kafka配置Kerberos

将kafka用户的keytab文件拷贝到其他服务器上

scp /etc/security/keytabs/kafka.keytab root@ dshieldcdh02:/etc/security/keytabs/kafka.keytab

配置Kafka的JAAS文件:

在Kafka的配置目录下创建JAAS配置文件(如kafka_client_jaas.conf),内容如下:

kafka_client_jaas.conf

KafkaServer {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

keyTab="/etc/security/keytabs/kafka.keytab"

storeKey=true

useTicketCache=false

serviceName="kafka"

principal="kafka/dshieldcdh01@HADOOP139.COM";

};

KafkaClient {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

keyTab="/etc/security/keytabs/kafka.keytab"

storeKey=true

useTicketCache=false

serviceName="kafka"

principal="kafka/dshieldcdh01@HADOOP139.COM";

};

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

keyTab="/etc/security/keytabs/zookeeper.keytab"

storeKey=true

useTicketCache=false

serviceName="zookeeper"

principal=" zookeeper/dshieldcdh01@HADOOP139.COM";

};

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required

renewTGT=false

doNotPrompt=true

useKeyTab=true

keyTab="/etc/security/keytabs/kafka.keytab"

storeKey=true

useTicketCache=false

serviceName="kafka"

principal="kafka/dshieldcdh01@HADOOP139.COM";

};

kafka_server_jaas.conf

KafkaServer {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

keyTab="/etc/security/keytabs/kafka.keytab"

storeKey=true

useTicketCache=false

serviceName="kafka"

principal="kafka/dshieldcdh01@HADOOP139.COM";

};

KafkaClient {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

keyTab="/etc/security/keytabs/kafka.keytab"

storeKey=true

useTicketCache=false

serviceName="kafka"

principal="kafka/dshieldcdh01@HADOOP139.COM";

};

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

keyTab="/etc/security/keytabs/zookeeper.keytab"

storeKey=true

useTicketCache=false

serviceName="zookeeper"

principal=" zookeeper/dshieldcdh01@HADOOP139.COM";

};

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required

renewTGT=false

doNotPrompt=true

useKeyTab=true

keyTab="/etc/security/keytabs/kafka.keytab"

storeKey=true

useTicketCache=false

serviceName="kafka"

principal="kafka/dshieldcdh01@HADOOP139.COM";

};

注意修改principal、keyTab路径和serviceName以匹配实际环境。

修改Kafka的启动脚本:

在Kafka的启动脚本中添加JVM参数,指定JAAS配置文件的路径。

cat kafka_client_jaas.conf

kafkaClient {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

storeKey=true

serviceName=kafka

keyTab="/etc/security/keytabs/kafka.keytab"

principal="kafka/dshieldcdh01@HADOOP139.COM";

};

cat server.properties

broker.id=1

hostname=dshieldcdh01

listerners=SASL_PLAINTEXT://dshieldcdh01:9092

security.inter.broker.protocol=SASL_PLAINTEXT

sasl.mechanism.inter.broker.protocol=GSSAPI

sasl.enabled.mechanisms= GSSAPI

sasl.kerberos.service.name=kaka

zookeeper.connect=dshieldcdh01:2181, dshieldcdh02:2181, dshieldcdh03:2181

zookeeper.set.acl=true

zookeeper.connection.timeout.ms=18000

[kafka@dshieldcdh01 config]$ pwd

/usr/local/kafka/config

[kafka@dshieldcdh01 config]$ scp kafka_jaas.conf dshieldcdh02:/usr/local/kafka/config

scp kafka_jaas.conf dshieldcdh03:/usr/local/kafka/config

#kerberos

listeners=SASL_PLAINTEXT://ambarim2:9092

advertised.listeners=SASL_PLAINTEXT://ambarim2:9092

security.inter.broker.protocol=SASL_PLAINTEXT

sasl.mechanism.inter.broker.protocol=GSSAPI

principal.to.local.class=kafka.security.auth.KerberosPrincipalToLocal

isasl.enabled.mechanisms=GSSAPI

zookeeper.connect=dshieldcdh01:2181,dshieldcdh02:2181,dshieldcdh03:2181

相关推荐
Ven%13 分钟前
centos查看硬盘资源使用情况命令大全
linux·运维·centos
萨格拉斯救世主1 小时前
戴尔R930服务器增加 Intel X710-DA2双万兆光口含模块
运维·服务器
Jtti1 小时前
Windows系统服务器怎么设置远程连接?详细步骤
运维·服务器·windows
yeyuningzi1 小时前
Debian 12环境里部署nginx步骤记录
linux·运维·服务器
上辈子杀猪这辈子学IT2 小时前
【Zookeeper集群搭建】安装zookeeper、zookeeper集群配置、zookeeper启动与关闭、zookeeper的shell命令操作
linux·hadoop·zookeeper·centos·debian
EasyCVR2 小时前
萤石设备视频接入平台EasyCVR多品牌摄像机视频平台海康ehome平台(ISUP)接入EasyCVR不在线如何排查?
运维·服务器·网络·人工智能·ffmpeg·音视频
wowocpp3 小时前
ubuntu 22.04 硬件配置 查看 显卡
linux·运维·ubuntu
萨格拉斯救世主3 小时前
jenkins使用slave节点进行node打包报错问题处理
运维·jenkins
川石课堂软件测试4 小时前
性能测试|docker容器下搭建JMeter+Grafana+Influxdb监控可视化平台
运维·javascript·深度学习·jmeter·docker·容器·grafana
pk_xz1234565 小时前
Shell 脚本中变量和字符串的入门介绍
linux·运维·服务器