|
kafka集成kerberos -cdh6.3.2
1.Kafka配置修改
1)设置kafka安全身份验证
在kafka的配置中搜索 kerberos.auth.enable 并将其勾选
2)设置kafka认证方式
在kafka设置中搜索security.inter.broker.protoco 修改为 SASL_PLAINTEXT
3)配置kafka.properties
在kafka的配置页面中 搜索 kafka.properties 的 kafka broker高级配置代码段(安全阀) 其值添加如下内容:
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:kafka;User:admin;
4)kafka支持命令行的kinit操作
vi /etc/kafka/conf/kafka_client/kafka_client_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/opt/software/kerberos/kafka.keytab"
principal="kafka@HADOOP.COM";
};
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true
renewTicket=true;
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/opt/software/kerberos/kafka.keytab"
storeKey=true
useTicketCache=false
principal="kafka@HADOOP.COM";
};
vi /etc/kafka/conf/kafka_client/config.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
vi kafka-run-class.sh
搜索 :/JVM
在KAFKA_JVM_PERFORMANCE_OPTS中
添加:
-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/conf/kafka_client/kafka_client_jaas.conf
验证:
创建生产者
kafka-console-producer --broker-list cdh01:9092 --topic test1 --producer.config /etc/kafka/conf/kafka_client/producer.properties
创建消费者
kafka-console-consumer --bootstrap-server cdh01:9092,cdh02:9092,cdh03:9092 --topic test_0825 --from-beginning --consumer.config /etc/kafka/conf/kafka_client/config.properties
|