用分号分隔的可以是超级用户的用户列表。一个人必须是超级用户才能执行所有不涉及读写兼容性之类的全局操作。例如admin1; admin2会将admin1和admin2都设置为超级用户。
但是,指定的用户无法从Confluent Server中检索全局兼容模式。
我尝试了admin1; admin2和kafka的User:admin1; User:admin,但似乎都没有用。此外,自此:https://docs.confluent.io/current/confluent-security-plugins/schema-registry/install.html#authentication-mechanisms表示:
传入请求的身份验证机制由confluent.schema.registry.auth.mechanism配置确定。目前唯一受支持的机制是SSL。
由于这不是常规主题可分辨名称,因此用户是否可以采用“ admin1”或“ admin2”形式?至少不应至少需要类似“ CN = admin1”的内容吗?所以我基本上试图放在那里:
confluent.topic.acl.super.users=CN=schema_registry,OU=IT;CN=AttunityClnt,OU=IT
和
confluent.topic.acl.super.users=User:CN=schema_registry,OU=IT;User:CN=AttunityClnt,OU=IT
但它们都不起作用,在两种情况下,attunity复制服务器都无法检索全局兼容模式。
此外,为了启用融合的模式注册表安全插件,我将以下行添加到schema-registry.properties:
schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension
confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.topicacl.SimpleTopicAclAuthorizer
inter.instance.protocol=https
好的,因为我无法弄清楚如何为Topic ACL Authorizer定义超级用户,我尝试了另一种方法,即Schema Registry ACL Authorizer,方法是将其设置为schema-registry.properties,而不是之前的几行:
schema.registry.resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension
confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizer
inter.instance.protocol=https
我也删除了confluent.topic.acl.super.users的设置,因为我认为这在这种情况下无效。我已经重新启动架构注册表以加载新设置,根据它的日志,它开始运行正常,我想,然后我尝试使用sr-acl-cli来首先定义架构管理员,并得到了以下提示:
# bin/sr-acl-cli --config etc/schema-registry/schema-registry.properties --add -s * -p schema_registry_test -o *
Invalid operation specified : bin
Option Description
------ -----------
-h, --help Print usage information.
--add Indicates you are trying to add ACLs.
--remove Indicates you are trying to remove ACLs.
--list List all the current ACLs
--config <File> REQUIRED: Schema Registry properties file
-o, --operation <String> Operation that is being authorized. Valid operation
names are:
[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE,
SUBJECT_COMPATIBILITY_READ,
SUBJECT_COMPATIBILITY_WRITE,
GLOBAL_COMPATIBILITY_READ,
GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ]
-s, --subject <String> Subject to which the ACL is being applied to. Only
applicable for SUBJECT operations. Use * to apply
to all subjects
-t, --topic <String> Topic to which the ACL is being applied to. The
corresponding subjects would topic-key and topic-
value.Only applicable for SUBJECT operations. Use
* to apply to all subjects
-p, --principal <String> Principal to which the ACL is being applied to. Use
* to apply to all principals
# cd bin
# ./sr-acl-cli --config ../etc/schema-registry/schema-registry.properties --add -s * -p schema_registry_test -o *
Invalid operation specified : confluent
Option Description
------ -----------
-h, --help Print usage information.
--add Indicates you are trying to add ACLs.
--remove Indicates you are trying to remove ACLs.
--list List all the current ACLs
--config <File> REQUIRED: Schema Registry properties file
-o, --operation <String> Operation that is being authorized. Valid operation
names are:
[SUBJECT_READ, SUBJECT_WRITE, SUBJECT_DELETE,
SUBJECT_COMPATIBILITY_READ,
SUBJECT_COMPATIBILITY_WRITE,
GLOBAL_COMPATIBILITY_READ,
GLOBAL_COMPATIBILITY_WRITE, GLOBAL_SUBJECTS_READ]
-s, --subject <String> Subject to which the ACL is being applied to. Only
applicable for SUBJECT operations. Use * to apply
to all subjects
-t, --topic <String> Topic to which the ACL is being applied to. The
corresponding subjects would topic-key and topic-
value.Only applicable for SUBJECT operations. Use
* to apply to all subjects
-p, --principal <String> Principal to which the ACL is being applied to. Use
* to apply to all principals
#
我实际上想向用户CN = schema_registry,OU = IT发出该命令,但是结果是相同的。我在这里想念什么? 我想有一会儿,不是从证书形成为主题dname-s TLS的用户,对于不通过https rest api访问架构注册表可能很有用,例如sr-acl-cli,但是在这里您给出它是Schema Registry属性文件形式的配置,它基本上定义了到用于架构注册表的kafka集群的连接。是否有可能必须事先将运行sr-acl-cli的用户定义为架构注册表超级用户?例如,通过使用confluent.topic.acl.super.users ?? 我也尝试过,但是没有帮助。我尚不清楚sr-acl-cli与同一台计算机上的架构注册表实例到底如何通信,但是我猜运行sr-acl-cli的用户应该具有某种相关性,但我不知道如何设置它。顺便说一下,这可行:
sr-acl-cli --config etc/schema-registry/schema-registry.properties --list
它返回:
[2019-06-10 18:16:20,848] INFO Logging initialized @376ms to org.eclipse.jetty.util.log.Slf4jLog (org.eclipse.jetty.util.log:193)
[2019-06-10 18:16:20,887] INFO HV000001: Hibernate Validator 5.1.3.Final (org.hibernate.validator.internal.util.Version:27)
[2019-06-10 18:16:21,946] INFO Validating ACL topic _schemas_acl (io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclAuthorizerUtils:199)
[2019-06-10 18:16:22,157] INFO Initialized last consumed offset to -1 (io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclReaderThread:125)
[2019-06-10 18:16:22,200] INFO [schema-registry-acl-reader-thread]: Starting (io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclReaderThread:66)
Current ACL's for Subject Operations are
{}
Current ACL's for Global Operations are
{}
[2019-06-10 18:16:22,351] INFO [schema-registry-acl-reader-thread]: Shutting down (io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclReaderThread:66)
[2019-06-10 18:16:22,351] INFO [schema-registry-acl-reader-thread]: Stopped (io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclReaderThread:66)
[2019-06-10 18:16:22,351] INFO [schema-registry-acl-reader-thread]: Shutdown completed (io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclReaderThread:66)
[2019-06-10 18:16:22,357] INFO SchemaRegistryAclReaderThread shutdown complete. (io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl.SchemaRegistryAclReaderThread:295)
模式注册表实例的开始创建了一个新主题_schemas_acl,因此我想至少该部分应该可以。