返回到文章

采纳

编辑于
半兽人

kafka实战kerberos(笔记)

kafka
kafka
实战

环境

版本:kafka_2.12-2.3.0
主机名:orchome
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.5.1804 (Core)
Release: 7.5.1804
Codename: Core
Linux version 3.10.0-862.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Fri Apr 20 16:44:24 UTC 2018

kerberos生成principal

## 创建principal
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey zookeeper/orchome@EXAMPLE.COM'
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka/orchome@EXAMPLE.COM'
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey clients/orchome@EXAMPLE.COM'

sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_server.keytab kafka/orchome@EXAMPLE.COM"
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_server.keytab zookeeper/orchome@EXAMPLE.COM"
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_client.keytab clients/orchome@EXAMPLE.COM"

## 检查
klist -t -e -k /etc/security/keytabs/kafka_zookeeper.keytab
klist -t -e -k /etc/security/keytabs/kafka_server.keytab
klist -t -e -k /etc/security/keytabs/kafka_client.keytab

各个文件详情

more /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = orchome
  admin_server = orchome
 }

[domain_realm]
kafka = EXAMPLE.COM
zookeeper = EXAMPLE.COM
clients = EXAMPLE.COM

kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  listprincs 
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
clients/orchome@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/orchome@EXAMPLE.COM
kafka/orchome@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
krbtgt/orchome@EXAMPLE.COM
zookeeper/orchome@EXAMPLE.COM

klist -t -e -k /var/kerberos/krb5kdc/kafka.keytab

Keytab name: FILE:/var/kerberos/krb5kdc/kafka.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 07/24/16 00:58:30 kafka/orchome@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 07/24/16 00:58:30 kafka/orchome@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 07/24/16 00:58:30 kafka/orchome@EXAMPLE.COM (des3-cbc-sha1)
   3 07/24/16 00:58:30 kafka/orchome@EXAMPLE.COM (arcfour-hmac)
   3 07/24/16 00:58:30 kafka/orchome@EXAMPLE.COM (des-hmac-sha1)
   3 07/24/16 00:58:30 kafka/orchome@EXAMPLE.COM (des-cbc-md5)
   2 07/24/16 12:23:18 zookeeper/orchome@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 07/24/16 12:23:18 zookeeper/orchome@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 07/24/16 12:23:18 zookeeper/orchome@EXAMPLE.COM (des3-cbc-sha1)
   2 07/24/16 12:23:18 zookeeper/orchome@EXAMPLE.COM (arcfour-hmac)
   2 07/24/16 12:23:18 zookeeper/orchome@EXAMPLE.COM (des-hmac-sha1)
   2 07/24/16 12:23:18 zookeeper/orchome@EXAMPLE.COM (des-cbc-md5)
   2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (des3-cbc-sha1)
   2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (arcfour-hmac)
   2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (des-hmac-sha1)
   2 07/25/16 11:31:37 kafka/127.0.0.1@EXAMPLE.COM (des-cbc-md5)
   3 07/25/16 13:13:31 kafka/orchome@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 07/25/16 13:13:31 kafka/orchome@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 07/25/16 13:13:31 kafka/orchome@EXAMPLE.COM (des3-cbc-sha1)
   3 07/25/16 13:13:31 kafka/orchome@EXAMPLE.COM (arcfour-hmac)
   3 07/25/16 13:13:31 kafka/orchome@EXAMPLE.COM (des-hmac-sha1)
   3 07/25/16 13:13:31 kafka/orchome@EXAMPLE.COM (des-cbc-md5)
   2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (des3-cbc-sha1)
   2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (arcfour-hmac)
   2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (des-hmac-sha1)
   2 07/25/16 15:07:58 zookeeper/127.0.0.1@EXAMPLE.COM (des-cbc-md5)
   2 07/25/16 18:47:55 clients@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 07/25/16 18:47:55 clients@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 07/25/16 18:47:55 clients@EXAMPLE.COM (des3-cbc-sha1)
   2 07/25/16 18:47:55 clients@EXAMPLE.COM (arcfour-hmac)
   2 07/25/16 18:47:55 clients@EXAMPLE.COM (des-hmac-sha1)
   2 07/25/16 18:47:55 clients@EXAMPLE.COM (des-cbc-md5)

more /etc/kafka/zookeeper_jaas.conf

Server{
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="/etc/security/keytabs/kafka_zookeeper.keytab"
    principal="zookeeper/orchome@EXAMPLE.COM";
};

more /etc/kafka/kafka_server_jaas.conf

KafkaServer {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_server.keytab"
   principal="kafka/orchome@EXAMPLE.COM";
};

// Zookeeper client authentication
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_server.keytab"
   principal="kafka/orchome@EXAMPLE.COM";
};

more /etc/kafka/kafka_client_jaas.conf

KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_client.keytab"
   principal="clients/orchome@EXAMPLE.COM";
};

more config/server.properties

listeners=SASL_PLAINTEXT://orchome:9093
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka

more start-zk-and-kafka.sh

#!/bin/bash
export KAFKA_HEAP_OPTS='-Xmx256M'
export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/zookeeper_jaas.conf'
bin/zookeeper-server-start.sh config/zookeeper.properties &

sleep 5

export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf'
bin/kafka-server-start.sh config/server.properties

more config/zookeeper.properties

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000

more config/producer.properties/consumer.properties

security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka

more producer2.sh

export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf"

bin/kafka-console-producer.sh --broker-list orchome:9093 --topic test --producer.config config/producer.properties

more consumer2.sh

export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf"

bin/kafka-console-consumer.sh --bootstrap-server orchome:9093 --topic test --new-consumer --from-beginning --consumer.config config/consumer.properties

本例说明文档来自

kafka使用SASL/Kerberos认证