我无法在Kafka 0.10.2中使用SSL配置授权。我正在为代理,生产者和消费者使用命令行客户端。当kafka服务器配置文件中注释掉allow.everyone.if.no.acl.found=true时,生产者和消费者无法写入或读取测试主题(否则,他们能够读写)
我已经搜查了official documentation,this Symantec setup,the Confluent docs和various Stack - Overflow posts,但我仍然无法获得授权(虽然我通过TLS工作进行身份验证)。
我的证书来自IdenTrust / Letsencrypt。如果我取消注释allow.everyone.if.no.acl.found=true,我会在生产者连接时在代理日志中看到这一点:
DEBUG SslTransportLayer:358 - SSL handshake completed successfully with
peerHost 'devel-2.sjml.com' peerPort 56099 peerPrincipal 'CN=testkafkaconsumer1.eigenroute.com' cipherSuite
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384'
并且生产者能够写入并且消费者能够从测试主题中读取。但是,当上述行被注释掉时,此输出不会出现在日志中。在这种情况下,生产者命令行客户端输出以下内容:
WARN Error while fetching metadata with correlation id 10588 :
{test100=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)
以下是来自Zookeeper的主题test100的ACL,以及列出它的命令:
$ bin/kafka-acls.sh --list --authorizer-properties zookeeper.connect=localhost:2181 --topic test100
Current ACLs for resource `Topic:test100`:
User:CN=testkafkaconsumer1.eigenroute.com has Allow permission for operations: Read from hosts: *
User:CN=kafka.eigenroute.com has Allow permission for operations: All from hosts: *
User:CN=testkafkaproducer1.eigenroute.com has Allow permission for operations: Write from hosts: *
下面是我用来向ACL添加用户的命令:
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:CN=kafka.eigenroute.com --operation All --topic test100
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:CN=testkafkaproducer1.eigenroute.com --operation Write --topic test100
./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:CN=testkafkaconsumer1.eigenroute.com --operation Read --topic test100
以下是代理,消费者和生产者的配置文件:
经纪人配置:
# secure-server-letsencrypt.properties
broker.id=0
delete.topic.enable=true
listeners=SSL://kafka.eigenroute.com:9093
port=9093
advertised.host.name=kafka.eigenroute.com
ssl.keystore.location=/home/kafka/keystore/kafka.keystore.jks
ssl.keystore.password=some-password
ssl.key.password=some-password
ssl.truststore.location=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
ssl.truststore.password=some-password
ssl.endpoint.identification.algorithm=HTTPS
ssl.client.auth=required
security.inter.broker.protocol=SSL
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:CN=testkafkaproducer1.eigenroute.com
# allow.everyone.if.no.acl.found=true
advertised.listeners=SSL://kafka.eigenroute.com:9093
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=/tmp/kafka-logs
num.partitions=1
num.recovery.threads.per.data.dir=1
log.retention.hours=168
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connect=localhost:2181
zookeeper.connection.timeout.ms=6000
消费者配置:
# secure-consumer.properties
zookeeper.connect=127.0.0.1:2181
# timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=6000
#consumer group id
group.id=test-consumer-group
#consumer timeout
#consumer.timeout.ms=5000
security.protocol=SSL
ssl.truststore.location=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
ssl.truststore.password=some-password
ssl.keystore.location=/home/kafka/keystore/testkafkaconsumer1.keystore.jks
ssl.keystore.password=some-password
ssl.key.password=some-password
producer config:
bootstrap.servers=kafka.eigenroute.com:9093
security.protocol=SSL
ssl.truststore.location=/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
ssl.truststore.password=some-password
ssl.keystore.location=/home/kafka/keystore/testkafkaproducer1.keystore.jks
ssl.keystore.password=some-password
ssl.key.password=some-password
compression.type=none
我认为将生产者用户设置为超级用户,就像我在代理/服务器配置中所做的那样,应该允许生产者写入主题;唉,事实并非如此。经纪人似乎无法从Zookeeper中找到ACL。有人可以建议如何解决这个问题吗?谢谢!
答案 0 :(得分:1)
如--consumer和--producer选项的CLI documentation中所述,您需要在消费者主题上允许DESCRIBE和READ,同时在消费者群组上阅读< / p>
对于生产者,您需要DESCRIBE以及生产者的TOPIC上的WRITE,以及群集上的CREATE。