devbox
煮酒与君饮
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Kafka Security Mechanism (SASL/PLAIN)_kafka mechanism

作者:煮酒与君饮 | 2024-06-27 19:38:56

kafka mechanism
Bharat Viswanadham
Published on April 10, 2017  / Updated on June 7, 2017
1

Starting from Kafka 0.10.x Kafka Broker supports username/password authentication. This Mechanism is called SASL/PLAIN. The steps below describe how to set up this mechanism on an IOP 4.2.5 Kafka Cluster.

1. Configure the Kafka brokers and Kafka Clients

Add a JAAS configuration file for each Kafka broker. Create a kafka_plain_jaas.conf file as specified below:

  1. KafkaServer {  
  2. org.apache.kafka.common.security.plain.PlainLoginModule required
  3.    username="kafka"
  4.    password="kafka-secret"
  5.    user_kafka="kafka-secret"
  6.    user_ibm="ibm-secret";
  7. };
  8. KafkaClient {
  9. org.apache.kafka.common.security.plain.PlainLoginModule required
  10.   username="ibm"
  11.   password="ibm-secret";
  12. };

Let’s understand the content of kafka_plain_jaas.conf file and how Kafka Brokers and Kafka Clients use it.

KafkaServer Section:
The KafkaServer section defines two users: kafka and ibm. The properties username and password are used by the broker to initiate connections to other brokers. In this example, kafka is the user for inter-broker communication. The set of properties user_{userName} defines the passwords for all users that connect to the broker and the broker validates all client connections including those from other brokers using these properties.

KafkaClient Section:
The Kafka Client section describes how the clients, Producer and Consumer, can connect to Kafka Broker. The properties username and password in the Kafka Client section are used by clients to configure the user for client connections. In this example, clients connect to the broker as user “ibm”.

2. Pass the JAAS configuration location as a JVM Parameter to the Kafka broker
  1.  
  2. Update the Advanced kafka-env section to add the properties below:
  3. export KAFKA_PLAIN_PARAMS="-Djava.security.auth.login.config=/usr/iop/4.2.5.0-0000/kafka/conf/kafka_plain_jaas.conf"
  4. export KAFKA_OPTS="$KAFKA_PLAIN_PARAMS $KAFKA_OPTS"
  5.
3. Add the properties below to the custom Kafka broker configuration.

Kafka Broker Configuration

4. Update the listeners property in the Kafka Broker section to SASL_PLAINTEXT://localhost:6667

Kafka Broker Configuration

5. Restart Kafka.

Run the Kafka Client Console Producer / Console Consumer to authenticate to the Kafka broker with the specified username and password. In this example, the username used to connect to brokers is “ibm”. The JVM parameter java.security.auth.login.config for console producer and console consumer is set by the Step 2 above.
All the commands shown below are run from the path /usr/iop/4.2.5.0-0000/kafka

Create a topic:
  1. [root@heel1 kafka]# bin/kafka-topics.sh --create --topic plain-topic --zookeeper heel1.fyre.ibm.com:2181 --partitions 1 --replication-factor 1
  2. [2017-04-10 12:06:22,239] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/iop/4.2.5.0-0000/kafka/conf/kafka_plain_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
  3. Created topic "plain-topic".
Run Kafka console producer

Before running the Kafka console Producer configure the producer.properties file as shown:

  1. [root@heel1 kafka]# cat producer.properties 
  2. security.protocol=SASL_PLAINTEXT
  3. sasl.mechanism=PLAIN
  1. [root@heel1 kafka]# bin/kafka-console-producer.sh --broker-list heel1.fyre.ibm.com:6667 --topic plain-topic --producer.config producer.properties 
  2. Message 1
  3. Message 2
  4. Message 3
  5. ^C
Run Kafka console consumer

Before running Kafka console consumer configure the consumer.properties file as shown:

  1. [root@heel1 kafka]# cat consumer.properties 
  2. security.protocol=SASL_PLAINTEXT
  3. sasl.mechanism=PLAIN
  1. [root@heel1 kafka]# bin/kafka-console-consumer.sh --bootstrap-server heel1.fyre.ibm.com:6667 --topic plain-topic --from-beginning --consumer.config consumer.properties 
  2. Message 1
  3. Message 2
  4. Message 3
  5. ^CProcessed a total of 3 messages

SASL/PLAIN with ACLs:
The username is used as the authenticated Principal, which is used in authorization (e.g. ACLs).
For usage of ACLS refer to the blog Kafka ACLs

For more information refer to the kafka documentation

TAGS  BIGINSIGHTS VALUE ADDKAFKAKAFKA SASL/PLAINKAFKA AUTHENTICATIONKAFKA AUTHORIZATIONKAFKA USERNAME PASSWORD AUTHENTICATIONKAFKA SUPPORT SIMPLE USERNAME/PASSWORD AUTHENTICATION, IOP KAFKA

3 comments on"Kafka Security Mechanism (SASL/PLAIN)"

  1. Last week in Stream Processing & Analytics – 18.4.2017 | Enjoy IT - SOA, Java, Event-Driven Computing and Integration  April 18, 2017

    […] Kafka Security Mechanism (SASL/PLAIN) by Bharat Viswanadham […]

    Reply

Join The Discussion

Your email address will not be published. Required fields are marked *

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/煮酒与君饮/article/detail/763536
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号