环境
版本:kafka_2.12-2.3.0
主机名:orchome
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.5.1804 (Core)
Release: 7.5.1804
Codename: Core
Linux version 3.10.0-862.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Fri Apr 20 16:44:24 UTC 2018
kerberos生成principal
## 创建principal
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey zookeeper/orchome@EXAMPLE.COM'
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka/orchome@EXAMPLE.COM'
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey clients/orchome@EXAMPLE.COM'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_server.keytab kafka/[email protected]"
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_server.keytab zookeeper/[email protected]"
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/kafka_client.keytab clients/[email protected]"
## 检查
klist -t -e -k /etc/security/keytabs/kafka_zookeeper.keytab
klist -t -e -k /etc/security/keytabs/kafka_server.keytab
klist -t -e -k /etc/security/keytabs/kafka_client.keytab
各个文件详情
more /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = orchome
admin_server = orchome
}
[domain_realm]
kafka = EXAMPLE.COM
zookeeper = EXAMPLE.COM
clients = EXAMPLE.COM
kadmin.local
```java
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
clients/orchome@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/orchome@EXAMPLE.COM
kafka/orchome@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
krbtgt/orchome@EXAMPLE.COM
zookeeper/orchome@EXAMPLE.COM
klist -t -e -k /var/kerberos/krb5kdc/kafka.keytab
```java
Keytab name: FILE:/var/kerberos/krb5kdc/kafka.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 07/24/16 00:58:30 kafka/[email protected] (aes256-cts-hmac-sha1-96)
3 07/24/16 00:58:30 kafka/[email protected] (aes128-cts-hmac-sha1-96)
3 07/24/16 00:58:30 kafka/[email protected] (des3-cbc-sha1)
3 07/24/16 00:58:30 kafka/[email protected] (arcfour-hmac)
3 07/24/16 00:58:30 kafka/[email protected] (des-hmac-sha1)
3 07/24/16 00:58:30 kafka/[email protected] (des-cbc-md5)
2 07/24/16 12:23:18 zookeeper/[email protected] (aes256-cts-hmac-sha1-96)
2 07/24/16 12:23:18 zookeeper/[email protected] (aes128-cts-hmac-sha1-96)
2 07/24/16 12:23:18 zookeeper/[email protected] (des3-cbc-sha1)
2 07/24/16 12:23:18 zookeeper/[email protected] (arcfour-hmac)
2 07/24/16 12:23:18 zookeeper/[email protected] (des-hmac-sha1)
2 07/24/16 12:23:18 zookeeper/[email protected] (des-cbc-md5)
2 07/25/16 11:31:37 kafka/[email protected] (aes256-cts-hmac-sha1-96)
2 07/25/16 11:31:37 kafka/[email protected] (aes128-cts-hmac-sha1-96)
2 07/25/16 11:31:37 kafka/[email protected] (des3-cbc-sha1)
2 07/25/16 11:31:37 kafka/[email protected] (arcfour-hmac)
2 07/25/16 11:31:37 kafka/[email protected] (des-hmac-sha1)
2 07/25/16 11:31:37 kafka/[email protected] (des-cbc-md5)
3 07/25/16 13:13:31 kafka/[email protected] (aes256-cts-hmac-sha1-96)
3 07/25/16 13:13:31 kafka/[email protected] (aes128-cts-hmac-sha1-96)
3 07/25/16 13:13:31 kafka/[email protected] (des3-cbc-sha1)
3 07/25/16 13:13:31 kafka/[email protected] (arcfour-hmac)
3 07/25/16 13:13:31 kafka/[email protected] (des-hmac-sha1)
3 07/25/16 13:13:31 kafka/[email protected] (des-cbc-md5)
2 07/25/16 15:07:58 zookeeper/[email protected] (aes256-cts-hmac-sha1-96)
2 07/25/16 15:07:58 zookeeper/[email protected] (aes128-cts-hmac-sha1-96)
2 07/25/16 15:07:58 zookeeper/[email protected] (des3-cbc-sha1)
2 07/25/16 15:07:58 zookeeper/[email protected] (arcfour-hmac)
2 07/25/16 15:07:58 zookeeper/[email protected] (des-hmac-sha1)
2 07/25/16 15:07:58 zookeeper/[email protected] (des-cbc-md5)
2 07/25/16 18:47:55 [email protected] (aes256-cts-hmac-sha1-96)
2 07/25/16 18:47:55 [email protected] (aes128-cts-hmac-sha1-96)
2 07/25/16 18:47:55 [email protected] (des3-cbc-sha1)
2 07/25/16 18:47:55 [email protected] (arcfour-hmac)
2 07/25/16 18:47:55 [email protected] (des-hmac-sha1)
2 07/25/16 18:47:55 [email protected] (des-cbc-md5)
more /etc/kafka/zookeeper_jaas.conf
Server{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/kafka_zookeeper.keytab"
principal="zookeeper/[email protected]";
};
more /etc/kafka/kafka_server_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_server.keytab"
principal="kafka/[email protected]";
};
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_server.keytab"
principal="kafka/[email protected]";
};
more /etc/kafka/kafka_client_jaas.conf
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_client.keytab"
principal="clients/[email protected]";
};
more config/server.propertieslisteners=SASL_PLAINTEXT://orchome:9093 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=GSSAPI sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka
more start-zk-and-kafka.sh
#!/bin/bash
export KAFKA_HEAP_OPTS='-Xmx256M'
export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/zookeeper_jaas.conf'
bin/zookeeper-server-start.sh config/zookeeper.properties &
sleep 5
export KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf'
bin/kafka-server-start.sh config/server.properties
more config/zookeeper.propertiesauthProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider requireClientAuthScheme=sasl jaasLoginRenew=3600000
more config/producer.properties/consumer.properties
```java
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
`more producer2.sh
```java
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf"
bin/kafka-console-producer.sh --broker-list orchome:9093 --topic test --producer.config config/producer.properties
more consumer2.sh
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf"
bin/kafka-console-consumer.sh --bootstrap-server orchome:9093 --topic test --new-consumer --from-beginning --consumer.config config/consumer.properties