kafka 添加sasl认证 权限控制二

如果没看过上一篇的需要看完上一篇才能更容易理解

在server.properties 中配置的超级管理员可以直接创建topic和输入内容

想要实现权限控制需要用kafka-acls.sh来配置用户  kafka/bin/kafka-acls.sh

查看已经配置的用户

添加权限 添加用户wk2可以写入topic：nginxlog 内容的权限

./kafka-acls.sh --authorizer-properties zookeeper.connect=192.168.1.146:2181 --add --allow-principal User:wk2 --producer --topic nginxlog
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=nginxlog, patternType=LITERAL)`: 
 	(principal=User:wk2, host=*, operation=CREATE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=WRITE, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=nginxlog, patternType=LITERAL)`: 
 	(principal=User:wk2, host=*, operation=CREATE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=CREATE, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=DESCRIBE, permissionType=ALLOW) 

相应的如果是集群中 zookeeper.connect=host1:2181,host2:2181:host3:2182  

添加用户wk2读取topic：nginxlog 中内容的权限 消费组为：test_group

./kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:wk2 --consumer --topic nginxlog --group test_group
Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=nginxlog, patternType=LITERAL)`: 
 	(principal=User:wk2, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=DESCRIBE, permissionType=ALLOW) 

Adding ACLs for resource `ResourcePattern(resourceType=GROUP, name=test_group, patternType=LITERAL)`: 
 	(principal=User:wk2, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=test_group, patternType=LITERAL)`: 
 	(principal=User:alice, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=READ, permissionType=ALLOW) 

Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=nginxlog, patternType=LITERAL)`: 
 	(principal=User:wk2, host=*, operation=CREATE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=CREATE, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=DESCRIBE, permissionType=ALLOW) 

还需要手动在kafka_server_jaas.conf 中配置用户

KafkaServer {
 org.apache.kafka.common.security.plain.PlainLoginModule required
 username="kafka"
 password="kafkapasswd"
 user_kafka="kafkapasswd"
 user_wktest="wktest"
 user_wk2="wk2";
};

 查看权限列表

./kafka-acls.sh --authorizer-properties zookeeper.connect=192.168.1.146:2181 --list --topic nginxlog
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=nginxlog, patternType=LITERAL)`: 
 	(principal=User:wk2, host=*, operation=CREATE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=READ, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=WRITE, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=CREATE, permissionType=ALLOW)
	(principal=User:wktest, host=*, operation=DESCRIBE, permissionType=ALLOW)
	(principal=User:wk2, host=*, operation=DESCRIBE, permissionType=ALLOW)