kafka集群开启sasl认证
kafka集群开启sasl认证sasl认证sasl 是扩展C/S模式验证能力的一种认证机制。它可以规范客户端和服务端传输应答和传输内容编码,简而言之sasl决定了认证的规则,即客户端如何存储身份证书、客户端与服务端如何校验密码都由sasl决定。当我们的客户端通过校验,服务端便知晓客户端的身份,将赋给客户端相应的权限。plain机制sasl最常使用的认证机制就是plain。通过将用户名和密码以bas
kafka集群开启sasl认证
sasl认证
sasl 是扩展C/S模式验证能力的一种认证机制。它可以规范客户端和服务端传输应答和传输内容编码,简而言之sasl决定了认证的规则,即客户端如何存储身份证书、客户端与服务端如何校验密码都由sasl决定。当我们的客户端通过校验,服务端便知晓客户端的身份,将赋给客户端相应的权限。
plain机制
sasl最常使用的认证机制就是plain。通过将用户名和密码以base64字符串(不加密)方式进行传输。
如果你需要更安全的传输,请结合TLS使用。
zookeeper
之所以说zookeeper是因为zookeeper用于kafka的分布式协调、配置管理。
zookeeper 是一个帮助分布式部署的中间件,进行工作协调的工具,它不独立存在。
如图所示,zookeeper对kafka的元数据、配置信息进行统一管理。
部署 zookeeper 集群
1)准备三台服务器(192.168.1.1、192.168.1.2、192.168.1.3)
2)下载zookeeper 下载链接
3)解压zookeeper(tar -xvf …)
4)移动目录到指定目录(个人习惯)
mv zookeeper-xxx /home/apps/zookeeper
5)编辑zoo.cfg
192.168.1.1
cp /home/apps/zookeeper/conf/zoo_sample.cfg /home/apps/zookeeper/zoo.cfg
cat /home/apps/zookeeper/zoo.cfg
server.1=0.0.0.0:2888:3888
server.2=192.168.1.2:2888:3888
server.3=192.168.1.3:2888:3888
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
192.168.1.2
cp /home/apps/zookeeper/conf/zoo_sample.cfg /home/apps/zookeeper/zoo.cfg
cat /home/apps/zookeeper/zoo.cfg
server.1=192.168.1.1:2888:3888
server.2=0.0.0.0:2888:3888
server.3=192.168.1.3:2888:3888
authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
192.168.1.3
cp /home/apps/zookeeper/conf/zoo_sample.cfg /home/apps/zookeeper/zoo.cfg
cat /home/apps/zookeeper/zoo.cfg
server.1=192.168.1.1:2888:3888
server.2=192.168.1.2:2888:3888
server.3=0.0.0.0:2888:3888
authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
6)每个节点上都执行启动命令
sh /home/apps/zookeeper/bin/zkServer.sh
到此zookeeper集群搭建完成。
部署 kafka 集群
1)准备三台服务器(192.168.1.1、192.168.1.2、192.168.1.3)
2)下载kafka下载链接
3)解压kafka(tar -xvf …)
4)移动目录到指定目录(个人习惯)
mv kafka-xxx /home/apps/kafka
5)编辑server.properties文件
192.168.1.1
vim /home/apps/kafka/config/server.properties
# The id of the broker. This must be set to a unique integer for each broker.
broker.id=1
listeners=SASL_PLAINTEXT://0.0.0.0:9092
num.partitions=3
zookeeper.connect=192.168.1.1:2181,192.168.1.2:2181,192.168.1.3:2181
192.168.1.2
vim /home/apps/kafka/config/server.properties
# The id of the broker. This must be set to a unique integer for each broker.
broker.id=2
listeners=SASL_PLAINTEXT://0.0.0.0:9092
num.partitions=3
zookeeper.connect=192.168.1.1:2181,192.168.1.2:2181,192.168.1.3:2181
192.168.1.3
vim /home/apps/kafka/config/server.properties
# The id of the broker. This must be set to a unique integer for each broker.
broker.id=3
listeners=SASL_PLAINTEXT://0.0.0.0:9092
num.partitions=3
zookeeper.connect=192.168.1.1:2181,192.168.1.2:2181,192.168.1.3:2181
6)每个节点上都执行启动命令
sh /home/apps/kafka/bin/kafka-server-start.sh -daemon /home/apps/kafka/config/server.properties
到此kafka集群搭建完成。
开启sasl安全认证
数据备份
# 设置备份目录
mkdir -p /home/apps/backup
mkdir -p /home/apps/backup/zookeeper
mkdir -p /home/apps/backup/kafka
# zookeeper备份
cp -ra /home/apps/zookeeper/lib /home/apps/backup/zookeeper/
cp -ra /home/apps/zookeeper/conf /home/apps/backup/zookeeper/
cp -ra /home/apps/zookeeper/bin /home/apps/backup/zookeeper/
# kafka备份
cp -ra /home/apps/kafka/libs /home/apps/backup/kafka/
cp -ra /home/apps/kafka/config /home/apps/backup/kafka/
cp -ra /home/apps/kafka/bin /home/apps/backup/kafka/
zookeeper sasl配置
1)导入kafka相关的jar包到zookeeper的lib目录
cp /home/apps/kafka/libs/kafka-clients-2.2.0.jar /home/apps/zookeeper/lib/
cp /home/apps/kafka/libs/lz4-java-1.5.0.jar /home/apps/zookeeper/lib/
cp /home/apps/kafka/libs/slf4j-api-1.7.25.jar /home/apps/zookeeper/lib/
cp /home/apps/kafka/libs/slf4j-log4j12-1.7.25.jar /home/apps/zookeeper/lib/
cp /home/apps/kafka/libs/snappy-java-1.1.7.2.jar /home/apps/zookeeper/lib/
2)修改zoo.cfg
echo -e "authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider\nrequireClientAuthScheme=sasl\njaasLoginRenew=3600000\n" >> /home/apps/zookeeper/conf/zoo.cfg
3)编写zk_server_jaas.conf文件,定义了要链接zookeeper服务器所需的用户名和密码
Server {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-2019"
user_kafka="kafka-2019"
user_producer="prod-2019";
};
4)zkEnv.sh 添加环境变量
echo 'export SERVER_JVMFLAGS="-Djava.security.auth.login.config=/home/apps/zookeeper/conf/zk_server_jaas.conf' >> /home/apps/zookeeper/bin/zkEnv.sh
5)启动zookeeper服务
/home/apps/zookeeper/bin/zkServer.sh start-foreground
kafka sasl配置
1)新建kafka_server_jaas.conf 文件
# KafkaServer配置的是kafka的账号和密码,Client配置节主要配置了broker到Zookeeper的链接用户名密码
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-2019"
user_admin="admin-2019"
user_producer="prod-2019"
user_consumer="cons-2019";
};
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="kafka"
password="kafka-2019";
};
2)配置server.properties文件
192.168.1.1
listeners=SASL_PLAINTEXT://0.0.0.0:9092
advertised.listeners=SASL_PLAINTEXT://192.168.1.1:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
192.168.1.2
listeners=SASL_PLAINTEXT://0.0.0.0:9092
advertised.listeners=SASL_PLAINTEXT://192.168.1.2:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
192.168.1.3
listeners=SASL_PLAINTEXT://0.0.0.0:9092
advertised.listeners=SASL_PLAINTEXT://192.168.1.3:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
3)kafka-server-start.sh 新增环境变量
export KAFKA_HEAP_OPTS="-Xmx1G -Xms1G -Djava.security.auth.login.config=/home/apps/kafka/config/kafka_server_jaas.conf"
4)启动kafka服务
/home/apps/kafka/bin/kafka-server-start.sh /home/apps/kafka/config/server.properties
回滚
# 回滚到设置sasl模式前
# zookeeper回滚
cp -ra /home/apps/backup/zookeeper/lib /home/apps/zookeeper/lib
cp -ra /home/apps/backup/zookeeper/conf /home/apps/zookeeper/conf
cp -ra /home/apps/backup/zookeeper/bin /home/apps/zookeeper/bin
# kafka回滚
cp -ra /home/apps/backup/kafka/libs /home/apps/kafka/lib
cp -ra /home/apps/backup/kafka/config /home/apps/kafka/conf
cp -ra /home/apps/backup/kafka/bin /home/apps/kafka/bin
更多推荐
所有评论(0)