kafka实战kerberos（笔记

环境
版本：kafka_2.12-2.3.0
主机名：orchome
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.5.1804 (Core)
Release: 7.5.1804
Codename: Core
Linux version 3.10.0-862.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Fri Apr 20 16:44:24 UTC 2018

kerberos生成principal

## 创建principal
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey zookeeper/orchome@EXAMPLE.COM'
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka/orchome@EXAMPLE.COM'
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey clients/orchome@EXAMPLE.COM'

sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_server.keytab kafka/[email protected]"
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_server.keytab zookeeper/[email protected]"
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_client.keytab clients/[email protected]"

## 检查
klist -t -e -k /etc/security/keytabs/kafka_zookeeper.keytab
klist -t -e -k /etc/security/keytabs/kafka_server.keytab
klist -t -e -k /etc/security/keytabs/kafka_client.keytab

各个文件详情
more /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = orchome
  admin_server = orchome
 }

[domain_realm]
kafka = EXAMPLE.COM
zookeeper = EXAMPLE.COM
clients = EXAMPLE.COM

kadmin.local

```java
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  listprincs 
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
clients/orchome@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/orchome@EXAMPLE.COM
kafka/orchome@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
krbtgt/orchome@EXAMPLE.COM
zookeeper/orchome@EXAMPLE.COM

klist -t -e -k /var/kerberos/krb5kdc/kafka.keytab

```java
Keytab name: FILE:/var/kerberos/krb5kdc/kafka.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 07/24/16 00:58:30 kafka/[email protected] (aes256-cts-hmac-sha1-96)
   3 07/24/16 00:58:30 kafka/[email protected] (aes128-cts-hmac-sha1-96)
   3 07/24/16 00:58:30 kafka/[email protected] (des3-cbc-sha1)
   3 07/24/16 00:58:30 kafka/[email protected] (arcfour-hmac)
   3 07/24/16 00:58:30 kafka/[email protected] (des-hmac-sha1)
   3 07/24/16 00:58:30 kafka/[email protected] (des-cbc-md5)
   2 07/24/16 12:23:18 zookeeper/[email protected] (aes256-cts-hmac-sha1-96)
   2 07/24/16 12:23:18 zookeeper/[email protected] (aes128-cts-hmac-sha1-96)
   2 07/24/16 12:23:18 zookeeper/[email protected] (des3-cbc-sha1)
   2 07/24/16 12:23:18 zookeeper/[email protected] (arcfour-hmac)
   2 07/24/16 12:23:18 zookeeper/[email protected] (des-hmac-sha1)
   2 07/24/16 12:23:18 zookeeper/[email protected] (des-cbc-md5)
   2 07/25/16 11:31:37 kafka/[email protected] (aes256-cts-hmac-sha1-96)
   2 07/25/16 11:31:37 kafka/[email protected] (aes128-cts-hmac-sha1-96)
   2 07/25/16 11:31:37 kafka/[email protected] (des3-cbc-sha1)
   2 07/25/16 11:31:37 kafka/[email protected] (arcfour-hmac)
   2 07/25/16 11:31:37 kafka/[email protected] (des-hmac-sha1)
   2 07/25/16 11:31:37 kafka/[email protected] (des-cbc-md5)
   3 07/25/16 13:13:31 kafka/[email protected] (aes256-cts-hmac-sha1-96)
   3 07/25/16 13:13:31 kafka/[email protected] (aes128-cts-hmac-sha1-96)
   3 07/25/16 13:13:31 kafka/[email protected] (des3-cbc-sha1)
   3 07/25/16 13:13:31 kafka/[email protected] (arcfour-hmac)
   3 07/25/16 13:13:31 kafka/[email protected] (des-hmac-sha1)
   3 07/25/16 13:13:31 kafka/[email protected] (des-cbc-md5)
   2 07/25/16 15:07:58 zookeeper/[email protected] (aes256-cts-hmac-sha1-96)
   2 07/25/16 15:07:58 zookeeper/[email protected] (aes128-cts-hmac-sha1-96)
   2 07/25/16 15:07:58 zookeeper/[email protected] (des3-cbc-sha1)
   2 07/25/16 15:07:58 zookeeper/[email protected] (arcfour-hmac)
   2 07/25/16 15:07:58 zookeeper/[email protected] (des-hmac-sha1)
   2 07/25/16 15:07:58 zookeeper/[email protected] (des-cbc-md5)
   2 07/25/16 18:47:55 [email protected] (aes256-cts-hmac-sha1-96)
   2 07/25/16 18:47:55 [email protected] (aes128-cts-hmac-sha1-96)
   2 07/25/16 18:47:55 [email protected] (des3-cbc-sha1)
   2 07/25/16 18:47:55 [email protected] (arcfour-hmac)
   2 07/25/16 18:47:55 [email protected] (des-hmac-sha1)
   2 07/25/16 18:47:55 [email protected] (des-cbc-md5)

more /etc/kafka/zookeeper_jaas.conf

Server{
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="/etc/security/keytabs/kafka_zookeeper.keytab"
    principal="zookeeper/[email protected]";
};

more /etc/kafka/kafka_server_jaas.conf

KafkaServer {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_server.keytab"
   principal="kafka/[email protected]";
};

// Zookeeper client authentication
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_server.keytab"
   principal="kafka/[email protected]";
};

more /etc/kafka/kafka_client_jaas.conf

KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_client.keytab"
   principal="clients/[email protected]";
};

more config/server.propertieslisteners=SASL_PLAINTEXT://orchome:9093 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=GSSAPI sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka

more start-zk-and-kafka.sh

#!/bin/bash
export KAFKA_HEAP_OPTS='-Xmx256M'
export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/zookeeper_jaas.conf'
bin/zookeeper-server-start.sh config/zookeeper.properties &

sleep 5

export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf'
bin/kafka-server-start.sh config/server.properties

more config/zookeeper.propertiesauthProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider requireClientAuthScheme=sasl jaasLoginRenew=3600000

more config/producer.properties/consumer.properties

```java
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka

`more producer2.sh

```java
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf"

bin/kafka-console-producer.sh --broker-list orchome:9093 --topic test --producer.config config/producer.properties

more consumer2.sh

export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf"

bin/kafka-console-consumer.sh --bootstrap-server orchome:9093 --topic test --new-consumer --from-beginning --consumer.config config/consumer.properties