kafka acl配置

概览

kafka附带一个可插拔的Authorizer和out-of-box authorizer实现,并使用zookeeper来存储所有acl。默认情况下,如果资源R没有关联acl,除了超级用户,没有用户允许访问。如果你想改变这种行为,你可以在broker.properties配置:

acl的格式定义 "Principal P is [Allowed/Denied] Operation O From Host H On Resource R”,你可以在KIP-11上阅读更多关于acl的结构。为了添加,删除或列出acl,你可以使用Kafka authorizer CLI 。下面表格将列出operations,、resources 和APIs之间的关系。

Operation Resource API
ALTER Topic AlterTopics (Will be introduced in a future release)
CLUSTER_ACTION Cluster LeaderAndIsr
CLUSTER_ACTION Cluster StopReplica
CLUSTER_ACTION Cluster UpdateMetadata
CLUSTER_ACTION Cluster ControlledShutdown
CREATE Cluster CreateTopics (Will be introduced in a future release)
CREATE Cluster Metadata if auto.create.topics.enable
DELETE Topic DeleteTopics (Will be introduced in a future release)
DESCRIBE Topic Offsets
DESCRIBE Topic Metadata
DESCRIBE Cluster ListGroups
DESCRIBE Group DescribeGroup
READ Group GroupCoordinator
READ Group Heartbeat
READ Group JoinGroup
READ Group LeaveGroup
READ Group OffsetCommit
READ Group OffsetFetch
READ Group SyncGroup
READ Topic Fetch
READ Topic GroupCoordinator
READ Topic OffsetCommit
READ Topic OffsetFetch
WRITE Topic Produce

上面的Operation适用于所有客户端(producers, consumers, admin)和集群内部Broker之间的Operation。在一个安全环境下的kafka集群,客户端和集群内部Broker之间的operation都需要被授权。集群内部Broker之间的operation拆分为cluster 和 topic两方面。Cluster 更倾向与集群内部之间的管理,类似于broker的升级、partition metadata、leader 之间的切换、partition的in-sync副本的设置、集群shutdown的控制。

由于topic partitions内部采用副本机制,因此为每个topic授予和所有集群broker通讯的权限显得非常重要。集群内部broker之间复制一个topic partion的副本需要授予READ和DESCRIBE权限,READ权限默认包含了DESCRIBE权限。

有两种方法可以避免你为每个topic配置集群之间的acl:
1、配置一个超级用户,超级用户用于访问所有资源和管理集群的权限(下面将进行单独介绍)
2、使用通配符的方式单独设置你的acl信息
Producers和consumers需要被授予操作topic的权限,但是他们需要设置不同的principals。Producers需要被授予执行WRITE 和READ的权限。我们还需要记住,管理员用户可以执行命令行工具,也需要授权。管理员需要被授予DELETE、CREATE、ALTER (暂时还不支持)。
常用场景:
创建一个topic,客户端的principal需要对一个topic有CREATE 、DESCRIBE 操作权限
produce 客户端的principal需要对一个topic有WRITE 操作权限
consume客户端的principal需要对一个topic、group 有READ 操作权限
注意:服务器端需要授予更新metadata(CLUSTER_ACTION)的权限,并且要授予读取topic副本的权限。

配置

启用kafka ACLS你需要配置授权。Kafka本身自带了简单的授权实现,为了使用它你需要在server.properties下配
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
默认情况下,如果资源R没有关联acl,除了超级用户,没有用户允许访问。如果你想改变这种方式你可以做如下配置
allow.everyone.if.no.acl.found=true
配置超级用户(server.properties)
super.users=User:Bob;User:Alice
默认情况下,SSL的用户名称的形式是"CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown".可修改,在broker.properties设置自定义的PrincipalBuilder,如下。
principal.builder.class=CustomizedPrincipalBuilderClass
默认情况下,SASL用户名是Kerberos principal的主要组成部分。可修改,通过在broker.properteis中的sasl.kerberos.principal.to.local.rules来自定义规则。

在SSL启用但是客户端没有被授权的情况下,客户端通过SSL端口连接集群,服务器端日志将会出现用客户端用ANONYMOUS的用户名连接集群。这种配置提供加密和服务器身份验证,但是客户会匿名连接。另外一种出现客户端ANONYMOUS用户名连接的情况是服务器端采用PLAINTEXT加密通道。通过给匿名用户读/写权限,意味着你运行任何人无需进行授权便可以连接服务器集群。

授权

1、环境查看

确认环境无授权信息
[root@hadoop001 bin]# ./kafka-acls.sh --list --authorizer-properties zookeeper.connect=localhost:2181/kafka 
[root@hadoop001 bin]# 

2、授权用户集群管理权限

[root@hadoop001 bin]# ./kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181/kafka --allow-principal User:ANONYMOUS  --cluster --add
Adding ACLs for resource `Cluster:kafka-cluster`: 
        User:ANONYMOUS has Allow permission for operations: All from hosts: * 

Current ACLs for resource `Cluster:kafka-cluster`: 
        User:ANONYMOUS has Allow permission for operations: All from hosts: * 
验证(生产)
[root@hadoop001 ~]# kafka-console-producer --broker-list hadoop001:9092 --topic test
23r123
[2017-01-06 15:22:45,804] WARN Error while fetching metadata with correlation id 0 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2017-01-06 15:22:45,886] WARN Error while fetching metadata with correlation id 1 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
验证(消费)
[root@hadoop001 ~]# kafka-consolconsumer --bootstrap-server hadoop001:9092 --from-beginning --topic test --new-consumer   
[2017-01-06 15:25:24,289] WARN Error while fetching metadata with correlation id 1 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2017-01-06 15:25:24,292] ERROR Unknown error when running consumer:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: console-consumer-47668

3、授权用户生产权限

未授予前进行producer数据
[root@hadoop001 ~]# kafka-console-producer --broker-list hadoop001:9092 --topic test
2525
235235
325t235
kafka server端log日志报错如下:
Topic and partition to exceptions: test-1 -> org.apache.kafka.common.errors.TopicAuthorizationException
授权并验证授权结果
[root@hadoop001 bin]# ./kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181/kafka --allow-principal User:ANONYMOUS  --producer --topic=*  --add
Adding ACLs for resource `Topic:*`: 
        User:ANONYMOUS has Allow permission for operations: Describe from hosts: *
        User:ANONYMOUS has Allow permission for operations: Write from hosts: * 

Adding ACLs for resource `Cluster:kafka-cluster`: 
        User:ANONYMOUS has Allow permission for operations: Create from hosts: * 

Current ACLs for resource `Topic:*`: 
        User:ANONYMOUS has Allow permission for operations: Describe from hosts: *
        User:ANONYMOUS has Allow permission for operations: Write from hosts: *
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 

[root@hadoop001 bin]# ./kafka-acls.sh --list --authorizer-properties zookeeper.connect=localhost:2181/kafka 
Current ACLs for resource `Topic:*`: 
        User:ANONYMOUS has Allow permission for operations: Describe from hosts: *
        User:ANONYMOUS has Allow permission for operations: Write from hosts: *
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 

Current ACLs for resource `Cluster:kafka-cluster`: 
        User:ANONYMOUS has Allow permission for operations: Create from hosts: *
        User:ANONYMOUS has Allow permission for operations: All from hosts: *

验证(生产),说明leader
[root@hadoop001 ~]# kafka-console-producer --broker-list hadoop001:9092 --topic test
2rt2
[2017-01-06 15:27:16,236] WARN Error while fetching metadata with correlation id 0 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)
[2017-01-06 15:27:16,323] WARN Error while fetching metadata with correlation id 1 : {test=LEADER_NOT_AVAILABLE} (org.apache.kafka.clients.NetworkClient)

4、授予消费权限   

未授予消费权限,消费数据报错
[root@hadoop001 bin]# kafka-console-consumer --bootstrap-server hadoop001:9092 --new-consumer --topic test --from-beginning
[2017-01-06 16:03:14,746] ERROR Unknown error when running consumer:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: console-consumer-5669

授权并验证授权结果
[root@hadoop001 bin]# ./kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181/kafka --allow-principal User:ANONYMOUS  --consumer --topic=* --group=*  --add
Adding ACLs for resource `Topic:*`: 
        User:ANONYMOUS has Allow permission for operations: Describe from hosts: *
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 

Adding ACLs for resource `Group:*`: 
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 

Current ACLs for resource `Topic:*`: 
        User:ANONYMOUS has Allow permission for operations: Describe from hosts: *
        User:ANONYMOUS has Allow permission for operations: Write from hosts: *
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 

Current ACLs for resource `Group:*`: 
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 


[root@hadoop001 bin]# ./kafka-acls.sh --list --authorizer-properties zookeeper.connect=localhost:2181/kafka 
Current ACLs for resource `Group:*`: 
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 

Current ACLs for resource `Topic:*`: 
        User:ANONYMOUS has Allow permission for operations: Describe from hosts: *
        User:ANONYMOUS has Allow permission for operations: Write from hosts: *
        User:ANONYMOUS has Allow permission for operations: Read from hosts: * 

Current ACLs for resource `Cluster:kafka-cluster`: 
        User:ANONYMOUS has Allow permission for operations: Create from hosts: *
        User:ANONYMOUS has Allow permission for operations: All from hosts: * 

注意:

1、由于kafka副本策略,需要给所有topic赋予Read权限到BrokerList,不然会报如下错误
2017-01-06 15:39:21,575 ERROR kafka.server.ReplicaFetcherThread: [ReplicaFetcherThread-0-10000], Error for partition [__consumer_offsets,1] to broker 10000:org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Topic authorization failed.]


2017-01-06 15:43:13,255 ERROR kafka.server.ReplicaFetcherThread: [ReplicaFetcherThread-0-10000], Error for partition [test,0] to broker 10000:org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Topic authorization failed.]


你可能感兴趣的:(kafka)