卡夫卡·萨斯(Kafka SASL):OAUTHBEARER和PLAIN同时

时间:2019-05-30 13:00:26

标签: authentication oauth-2.0 apache-kafka jaas

我想做的是-

For Clients to Broker communication - use OAUTHBEARER authentication
For Broker to Broker communication - use PLAIN authentication

我具有以下JAAS配置:

{
  KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="inter"
    password="inter-secret"
    user_inter="inter-secret"
    user_admin="YvNzcbmqhA0DfxjP";

    org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
  };

  Client {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    username="zookeeper"
    password="zookeeper-secret";
  };
}

我在server.properties中有以下配置:

sasl.enabled.mechanisms=PLAIN,OAUTHBEARER
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.server.callback.handler.class=br.com.jairsjunior.security.oauthbearer.OauthAuthenticateValidatorCallbackHandler

但是如果启动kafka服务,我会看到如下错误:

used by: java.lang.IllegalArgumentException: Must supply exactly 1 non-null JAAS mechanism configuration (size was 2)
at org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler.configure(OAuthBearerUnsecuredValidatorCallbackHandler.java:114)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:122)
... 17 more

表示kafka不允许指定多个JAAS机制配置。

那么我如何指定多个JAAS配置,并设置如下所示的身份验证机制:

CLient to Broker ----> OAUTHBEARER
Broker to Broker ----> PLAIN

谢谢!

1 个答案:

答案 0 :(得分:2)

我目前还在研究同时使用Plain和oauthbearer的问题,我尚未解决,但是我通过以下方式解决了您的特定问题。 这是我的Jaas配置:

public async Task UploadAsync(Stream stream)
{
     using (HttpContent fileStreamContent = new StreamContent(stream))
     {
         //Add any headers you require here
         fileStreamContent.Headers.Add("x-ms-blob-type", "BlockBlob");
         var response = await _httpClient.PutAsync("your upload endpoint url", fileStreamContent);
      }
}

然后我通过以下方式在server.properties中设置设置:

internal.KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin-secret"
    user_admin="admin-secret"
    user_test="test";
};

external.KafkaServer {
    org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
};

Client {
   org.apache.zookeeper.server.auth.DigestLoginModule required
   username="username"
   password="pw";
};

通过这种方式,您不会出错。令人遗憾的是,当代理想要设置外部连接时,我会收到另一个错误:

  inter.broker.listener.name: INTERNAL 
  sasl.mechanism.inter.broker.protocol: PLAIN
  listener.security.protocol.map: INTERNAL:SASL_PLAINTEXT,EXTERNAL:SASL_SSL
  listeners: "INTERNAL://0.0.0.0:9092,EXTERNAL://0.0.0.0:19092"
  sasl.enabled.mechanisms: PLAIN,OAUTHBEARER

  listener.name.external.oauthbearer.sasl.server.callback.handler.class: my.module.kafka.security.oauthbearer.OauthAuthenticateValidatorCallbackHandler
  listener.name.external.oauthbearer.sasl.login.callback.handler.class: my.module.kafka.security.oauthbearer.OauthAuthenticateLoginCallbackHandler

似乎卡夫卡经纪人正在忽略oauthbearer回调处理程序。这有点奇怪,因为当我将外部配置为唯一的侦听器时,外部运行良好。

希望它可以帮助您解决问题!

相关问题
最新问题