Kafka集群授权失败

时间:2019-10-04 16:10:16

标签: authentication apache-kafka authorization access-control

当我尝试使用以下命令启动服务器时

:/remote/sde108/kafka/kafka/bin/kafka-server-start.sh /remote/sde108/kafka/kafka/config/server-1.properties

我得到了错误:

org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request …… is not authorized.

我能够通过两种方式进行SSL握手,但是当我尝试添加ACL时,它失败了。我使用以下命令将其添加到我的ACL中:

../bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:swe-analyticsdb-prod2 --consumer --topic my-topic --group *
    Adding ACLs for resource `Topic:LITERAL:my-topic`: 
        User:swe-analyticsdb-prod2 has Allow permission for operations: Read from hosts: *
        User:swe-analyticsdb-prod2 has Allow permission for operations: Describe from hosts: * 

    Adding ACLs for resource `Group:LITERAL:connect-console-sink.properties`: 
        User:swe-analyticsdb-prod2 has Allow permission for operations: Read from hosts: * 

    [2019-10-04 09:00:00,515] WARN read null data from /kafka-acl-changes/acl_changes_0000000057 (kafka.common.ZkNodeChangeNotificationListener)
    Current ACLs for resource `Topic:LITERAL:my-topic`: 
        User:swe-analyticsdb-prod2 has Allow permission for operations: Read from hosts: *
        User:swe-analyticsdb-prod2 has Allow permission for operations: Describe from hosts: * 

    Current ACLs for resource `Group:LITERAL:connect-console-sink.properties`: 
        User:navdeploy has Allow permission for operations: All from hosts: connect-console-sink.properties
        User:swe-analyticsdb-prod2 has Allow permission for operations: Read from hosts: *

当我尝试从该主题中消费时,我得到了:

navdeploy@swe-analyticsdb-prod2:/remote/sde108/kafka/kafka/config % ../bin/kafka-console-consumer.sh --bootstrap-server swe-analyticsdb-prod2:9093 --topic my-topic --consumer.config ssl.properties --from-beginning
[2019-10-04 09:01:55,656] WARN [Consumer clientId=consumer-1, groupId=console-consumer-22342] Error while fetching metadata with correlation id 2 : {my-topic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2019-10-04 09:01:55,659] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: console-consumer-22342
Processed a total of 0 messages

以下是我的一些文件配置属性:

server-1.properties:

listeners=SSL://swe-analyticsdb-prod2:9093
ssl.keystore.location=<path>server.keystore.jks
ssl.keystore.password=<password>
ssl.key.password=<password>
ssl.truststore.location=<path>/server.truststore.jks
ssl.truststore.password=<password>
security.inter.broker.protocol=SSL
ssl.client.auth=required
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

ssl.properties:

security.protocol=SSL
ssl.truststore.location=<path>/client.truststore.jks
ssl.truststore.password=<password>
ssl.keystore.location=<path>/client.keystore.jks
ssl.keystore.password=<password>
ssl.key.password=<password>

当我在server-1.properties文件中不包括“ arthorizer.class.name”时,SSL握手会经历两种方式,但是有了它,我在上面遇到了以下错误。有人知道如何解决这个问题吗?

编辑: 当我启动Kafka服务器时,它会给我:

  

org.apache.kafka.common.errors.ClusterAuthorizationException:请求   请求……未获授权。

但是对于那些我设置了ACL的主题。这是可以预期的吗?另外,我用来运行命令的用户是navdeploy,但在我的SSL中,CN是swe-analyticsdb-prod2。我是否需要通过navdeploy或swe-analyticsdb-prod2的名称创建ACL用户。有人可以向我解释吗?

**更新:

navdeploy@swe-analyticsdb-prod2:/remote/sde108/kafka/kafka/config % ../bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --operation All --allow-principal User: * --allow-host swe-analyticsdb-prod2 --add --cluster
Adding ACLs for resource `Cluster:LITERAL:kafka-cluster`: 
    User: has Allow permission for operations: All from hosts: swe-analyticsdb-prod2 

Current ACLs for resource `Cluster:LITERAL:kafka-cluster`: 
    User: has Allow permission for operations: All from hosts: swe-analyticsdb-prod2 

navdeploy@swe-analyticsdb-prod2:/remote/sde108/kafka/kafka/config % ../bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list 
Current ACLs for resource `Cluster:LITERAL:kafka-cluster`: 
    User: has Allow permission for operations: All from hosts: swe-analyticsdb-prod2 

Current ACLs for resource `Group:LITERAL:controller.log`: 
    User:navdeploy has Allow permission for operations: Read from hosts: controller.log 

Current ACLs for resource `Group:LITERAL:connect-console-sink.properties`: 
    User:navdeploy has Allow permission for operations: All from hosts: connect-console-sink.properties 

Current ACLs for resource `Group:LITERAL:*`: 
    User:ANONYMOUS has Allow permission for operations: All from hosts: *

0 个答案:

没有答案
相关问题
最新问题