kafka实战kerberos(笔记)

半兽人 发表于: 2017-01-10   最后更新时间: 2017-01-10  
  •   44 订阅,582 游览

1 安装配置kerberos

more /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = 10.211.55.5
admin_server = 10.211.55.5
}

[domain_realm]
kafka = EXAMPLE.COM
zookeeper = EXAMPLE.COM
weiwei = EXAMPLE.COM
10.211.55.5 = EXAMPLE.COM
127.0.0.1 = EXAMPLE.COM

kadmin.local

Authenticating as principal kafka/admin@EXAMPLE.COM with password.
kadmin.local: listprincs
K/M@EXAMPLE.COM
clients@EXAMPLE.COM
host/10.211.55.5@EXAMPLE.COM
host/weiwei@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/weiwei@EXAMPLE.COM
kafka/10.211.55.5@EXAMPLE.COM
kafka/127.0.0.1@EXAMPLE.COM
kafka/localhost@EXAMPLE.COM
kafka/weiwei@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
zookeeper/10.211.55.5@EXAMPLE.COM
zookeeper/127.0.0.1@EXAMPLE.COM

klist -t -e -k /var/kerberos/krb5kdc/kafka.keytab

Keytab name: FILE:/var/kerberos/krb5kdc/kafka.keytab
KVNO Timestamp Principal


3 07/24/16 00:58:30 kafka/10.211.55.5@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
3 07/24/16 00:58:30 kafka/10.211.55.5@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
3 07/24/16 00:58:30 kafka/10.211.55.5@EXAMPLE.COM (des3-cbc-sha1)
3 07/24/16 00:58:30 kafka/10.211.55.5@EXAMPLE.COM (arcfour-hmac)
3 07/24/16 00:58:30 kafka/10.211.55.5@EXAMPLE.COM (des-hmac-sha1)
3 07/24/16 00:58:30 kafka/10.211.55.5@EXAMPLE.COM (des-cbc-md5)
2 07/24/16 12:23:18 zookeeper/10.211.55.5@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 07/24/16 12:23:18 zookeeper/10.211.55.5@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 07/24/16 12:23:18 zookeeper/10.211.55.5@EXAMPLE.COM (des3-cbc-sha1)
2 07/24/16 12:23:18 zookeeper/10.211.55.5@EXAMPLE.COM (arcfour-hmac)
2 07/24/16 12:23:18 zookeeper/10.211.55.5@EXAMPLE.COM (des-hmac-sha1)
2 07/24/16 12:23:18 zookeeper/10.211.55.5@EXAMPLE.COM (des-cbc-md5)
2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (des3-cbc-sha1)
2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (arcfour-hmac)
2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (des-hmac-sha1)
2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (des-cbc-md5)
3 07/25/16 13:13:31 kafka/weiwei@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
3 07/25/16 13:13:31 kafka/weiwei@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
3 07/25/16 13:13:31 kafka/weiwei@EXAMPLE.COM (des3-cbc-sha1)
3 07/25/16 13:13:31 kafka/weiwei@EXAMPLE.COM (arcfour-hmac)
3 07/25/16 13:13:31 kafka/weiwei@EXAMPLE.COM (des-hmac-sha1)
3 07/25/16 13:13:31 kafka/weiwei@EXAMPLE.COM (des-cbc-md5)
2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (des3-cbc-sha1)
2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (arcfour-hmac)
2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (des-hmac-sha1)
2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (des-cbc-md5)
2 07/25/16 18:47:55 clients@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 07/25/16 18:47:55 clients@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 07/25/16 18:47:55 clients@EXAMPLE.COM (des3-cbc-sha1)
2 07/25/16 18:47:55 clients@EXAMPLE.COM (arcfour-hmac)
2 07/25/16 18:47:55 clients@EXAMPLE.COM (des-hmac-sha1)
2 07/25/16 18:47:55 clients@EXAMPLE.COM (des-cbc-md5)

more zookeeper_jaas.conf

Server{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/var/kerberos/krb5kdc/kafka.keytab"
principal="zookeeper/10.211.55.5@EXAMPLE.COM";
};

more kafka_server_jaas.conf

KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/var/kerberos/krb5kdc/kafka.keytab"
principal="kafka/weiwei@EXAMPLE.COM";
};

Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/var/kerberos/krb5kdc/kafka.keytab"
principal="kafka/weiwei@EXAMPLE.COM";
};

more config/server.properties

advertised.host.name=10.211.55.5
advertised.listeners=SASL_PLAINTEXT://10.211.55.5:9093
listeners=SASL_PLAINTEXT://10.211.55.5:9093

listeners=PLAINTEXT://127.0.0.1:9093

security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI

sasl.kerberos.service.name=kafka

more start-zk-and-kafka

!/bin/bash

export KAFKA_HEAP_OPTS='-Xmx256M'
export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.confi
g=/etc/kafka/zookeeper_jaas.conf'
bin/zookeeper-server-start.sh config/zookeeper.properties &

sleep 5

export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.confi
g=/etc/kafka/kafka_server_jaas.conf'
bin/kafka-server-start.sh config/server.properties

more config/zookeeper.properties

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000

more config/producer.properties/consumer.properties

security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka

more producer2

export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.confi
g=/etc/kafka/kafka_client_jaas.conf"

bin/kafka-console-producer.sh --broker-list 10.211.55.5:9093 --topic test --producer.config
config/producer.properties

more consumer2

export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.confi
g=/etc/kafka/kafka_client_jaas.conf"

bin/kafka-console-consumer.sh --bootstrap-server 10.211.55.5:9093 --topic test --new-consume
r --from-beginning --consumer.config config/consumer.properties







发表于: 1月前   最后更新时间: 1月前   游览量:582
上一条: kafka配额
下一条: 从老版本升级kafka
评论…

  • 你好,export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.confi
    g=/etc/kafka/kafka_client_jaas.conf"这个配置是要添加在kafka-console-producer.sh和kafka-console-consumer.sh这两个脚本里面是吧?
  • 评论…
    • in this conversation
      提问