kafka增加了账号认证后标志着它向企业级发展迈出了关键的一步,在这个功能后kafka也终于有了大版本,到现在已经演进到1.1.0,发展迅速以至于国内相关实践的资料很少,或者问题较多,经过一番折腾后发现有点复杂,所以把过程分享给大家,帮助大家少走弯路,主要使用SASL_PLAINTEXT 实现认证。
系统要求:
centos7.4/7.5 jdk1.8 /data为数据目录 各服务器的防火墙相互允许所有端口访问
服务器三台:
server1 172.16.99.35
server2 172.16.99.36
server3 172.16.99.37
下载:
wget http://archive.apache.org/dist/kafka/1.1.0/kafka_2.11-1.1.0.tgz
解压:
tar -zxvf kafka_2.11-1.1.0.tgz -C /usr/local/
mv /usr/local/kafka_2.11-1.1.0 /usr/local/kafka
1.zookeeper配置
1.搭建集群
每台服务都执行:
mkdir -p /data/app/kafka/data/zookeeper
mkdir -p /data/app/logs/kafka/zookeeper
vi /usr/local/kafka/config/zookeeper.properties
dataDir=/data/app/kafka/data/zookeeper
dataLogDir=/data/app/logs/kafka/zookeeper
# the port at which the clients will connect
clientPort=2181
# disable the per-ip limit on the number of connections since this is a non-production config
maxClientCnxns=20
tickTime=2000
initLimit=5
syncLimit=2
server.1=172.16.99.35:2888:3888
server.2=172.16.99.36:2888:3888
server.3=172.16.99.37:2888:3888
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
2.设置zookeeper主机id
echo 1 > /data/app/kafka/data/zookeeper/myid
注意:这个id是zookeeper的主机标示,每个主机id不同第二台是2 第三台是3。
3.启动
逐次启动3台机器的zookeeper 构成一个集群
cd /usr/local/kafka
bin/zookeeper-server-start.sh -daemon config/zookeeper.properties
2.kafka集群配置
每台服务器都需要重复以下操作
1.创建kafka登陆认证文件
vi /usr/local/kafka/config/kafka_client_jaas.conf
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="test"
password="testpwd";
};
vi /usr/local/kafka/config/kafka_server_jaas.conf
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="adminpwd"
user_admin="adminpwd"
user_test="testpwd"
};
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="adminpwd";
};
vi /usr/local/kafka/config/kafka_zoo_jaas.conf
Server {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="adminpwd"
user_admin="adminpwd";
};
2.绑定认证文件
修改kafka各项sh脚本,在最后一行之前添加绑定
在/usr/local/kafka/bin/zookeeper-server-start.sh中添加:
export KAFKA_OPTS=" -Djava.security.auth.login.config=/usr/local/kafka/config/kafka_zoo_jaas.conf"
在/usr/local/kafka/bin/kafka-server-start.sh中添加:
export KAFKA_OPTS=" -Djava.security.auth.login.config=/usr/local/kafka/config/kafka_server_jaas.conf"
在/usr/local/kafka/bin/kafka-console-consumer.sh/kafka-console-producer.sh中添加:
export KAFKA_OPTS=" -Djava.security.auth.login.config=/usr/local/kafka/config/kafka_client_jaas.conf"
3.kafka添加SASL_PLAINTEXT支持
在/usr/local/kafka/config/server.properties文件最后添加:
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin
auto.create.topics.enable=false
allow.everyone.if.no.acl.found=false
在/usr/local/kafka/config/producer.properties文件最后添加:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
在/usr/local/kafka/config/consumer.properties文件最后添加:
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
4.kafka集群设置
在/usr/local/kafka/config/server.properties修改如下的值:
zookeeper.connect=172.16.99.35:2181,172.16.99.36:2181,172.16.99.37:2181
listeners=SASL_PLAINTEXT://:9092
advertised.listeners=SASL_PLAINTEXT://本机内网IP:9092 (当需要提供外网服务时则为本机外网IP,防火墙须打开外网IP相互访问9092端口)
log.dirs=/data/app/logs/kafka/kafka-logs
broker.id=0 (数字,每个服务都是唯一值)
5.启动
依次启动
/usr/local/kafka/bin/kafka-server-start.sh -daemon /usr/local/kafka/config/server.properties
3.kafka测试
创建topic:
/usr/local/kafka/bin/kafka-topics.sh --create --zookeeper localhost:2181 --replication-factor 3 --partitions 3 --topic test_topic replication-factor
查看所有topic:
/usr/local/kafka/bin/kafka-topics.sh --list --zookeeper localhost:2181
创建有权限的消费者
/usr/local/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:test --operation Create --cluster kafka-cluster (consumer不包括create 会导致无法读,所以需要单独加,但producer却会自动加)
/usr/local/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:test --consumer --topic test_topic --group test-consumer-group
创建生产者
/usr/local/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:test --producer --topictest_topic
生产数据
/usr/local/kafka/bin/kafka-console-producer.sh --broker-list 172.16.99.35:9092 --topic test_topic --producer.config=/usr/local/kafka/config/producer.properties
消费数据:
/usr/local/kafka/bin/kafka-console-consumer.sh --bootstrap-server 172.16.99.36:9092 --topic test_topic --from-beginning --consumer.config=/usr/local/kafka/config/consumer.properties
4.kafka压力测试
在/usr/local/kafka/bin/kafka-consumer-perf-test.sh/kafka-producer-perf-test.sh倒数第一行前添加:
export KAFKA_OPTS=" -Djava.security.auth.login.config=/usr/local/kafka/config/kafka_client_jaas.conf"
执行压测脚本:
/usr/local/kafka/bin/kafka-consumer-perf-test.sh --consumer.config /usr/local/kafka/config/consumer.properties --broker-list 172.16.99.35:9092,172.16.99.36:9092,172.16.99.37:9092 -messages 50000 --topic test_topic --group=test-consumer-group --threads 1
bin/kafka-producer-perf-test.sh --topic test_topic --num-records 5000000 --record-size 100 --throughput -1 --producer.config config/producer.properties --producer-props acks=1 bootstrap.servers=172.16.108.128:9092,172.16.108.139:9092,172.16.108.136:9092 buffer.memory=67108864 batch.size=8196