在我们公司,我们正在尝试使用SSL加密和SASL / Kerberos身份验证设置3node Kafka群集。以下是我的所作所为。
broker1,broker2,broker3是3个kafka服务器和" kerberosServer"的主机名。是kerberos服务器的主机名。
我在kerberosServer上创建了3条原则,即kafka/broker1@EXAMPLE.COM,kafka/broker2@EXAMPLE.COM,kafka/broker3@EXAMPLE.COM,并创建了一个名为kafka-server.keytab的密钥表,并添加了以上所有内容kafka-server.keytab的3个原则
我能够启动kafka集群。但是,当我试图从kafka客户端产生一些消息时,我得到了以下错误:
错误使用密钥向主题测试发送消息时出错:null,值:6个字节,错误:60000 ms后无法更新元数据。 (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
我使用kerberos服务器作为kafka客户端,我为客户端创建了一个名为kafka_client.keytab的新密钥表,并添加了一个名为kafka-client/kerberosServer@EXAMPLE.COM的新原则。以下是我的客户详细信息:
client-sasl.properties文件:
security.protocol=SASL_SSL
sasl.kerberos.service.name=kafka
ssl.truststore.location=/opt/ssl/kafka.client.truststore.jks
ssl.truststore.password=affirmed
kafka_client_jaas.conf:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_client.keytab"
principal="kafka-client/kerberosServer@EXAMPLE.COM";
};
当我使用以下命令生成时,我收到错误
./kafka-console-producer.sh --broker-list broker1:9094,broker2:9094,broker3:9094 --topic test --producer.config ../config/client-sasl.properties
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /etc/security/keytabs/kafka_client.keytab refreshKrb5Config is false principal is kafka-client/kerberosServer@EXAMPLE.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is kafka-client/kerberosServer@EXAMPLE.COM
Will use keytab
Commit Succeeded
sasllll
[2018-04-24 17:41:49,214] ERROR Error when sending message to topic test with key: null, value: 7 bytes with error: Failed to update metadata after 60000 ms. (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)