1、JAAS 配置文件
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
serviceName="kafka"
keyTab="D:/code/demo/conf/kafka.service.keytab"
principal="kafka/hdp-1";
};
2、keytab 文件(kafka.service.keytab)
从 Kerberos 服务器上拷贝到目标机器 或 找运维人员要一份
3、Kerberos 配置文件(krb5.conf)
从 Kerberos 服务器上拷贝到目标机器 或 找运维人员要一份
# Configuration snippets may be placed in this directory as well
# JDK11此行配置要去掉
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
udp_preference_limit = 1
[realms]
HADOOP.COM = {
kdc = hdp-1:88
admin_server = hdp-1:749
default_domain = HADOOP.COM
}
[domain_realm]
.HADOOP.COM = HADOOP.COM
HADOOP.COM = HADOOP.COM
Tip:JDK11版本 sun.security.krb5.Config 类有修改,不去掉会有如下报错:
Caused by: KrbException: krb5.conf loading failed
192.168.16.14 hdp-1
org.apache.kafka
kafka-clients
3.1.0
package com.example.demo.kafka;
import org.apache.kafka.clients.consumer.ConsumerRecord;
import org.apache.kafka.clients.consumer.ConsumerRecords;
import org.apache.kafka.clients.consumer.KafkaConsumer;
import java.time.Duration;
import java.util.Arrays;
import java.util.Properties;
/**
* @Author: wmh
* @Version: 1.0
*/
public class ConsumertKafkaKerberos {
public static void main(String[] args) {
String filePath = System.getProperty("user.dir") + "\\conf\\";
System.setProperty("java.security.auth.login.config", filePath + "kafka_client_jaas.conf");
System.setProperty("java.security.krb5.conf", filePath + "krb5.conf");
Properties props = new Properties();
props.put("bootstrap.servers", "hdp-1:9092");
props.put("group.id", "test_group");
props.put("enable.auto.commit", "true");
props.put("auto.commit.interval.ms", "1000");
props.put("key.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
props.put("value.deserializer", "org.apache.kafka.common.serialization.StringDeserializer");
// sasl
props.put("sasl.mechanism", "GSSAPI");
props.put("security.protocol", "SASL_PLAINTEXT");
props.put("sasl.kerberos.service.name", "kafka");
@SuppressWarnings("resource")
KafkaConsumer consumer = new KafkaConsumer(props);
String topic = "test";
consumer.subscribe(Arrays.asList(topic));
while (true) {
try {
ConsumerRecords records = consumer.poll(Duration.ofMillis(1000));
for (ConsumerRecord record : records) {
System.out.printf("offset = %d, partition = %d, key = %s, value = %s%n",
record.offset(), record.partition(), record.key(), record.value());
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
package com.example.demo.kafka;
import org.apache.kafka.clients.producer.KafkaProducer;
import org.apache.kafka.clients.producer.Producer;
import org.apache.kafka.clients.producer.ProducerRecord;
import java.util.Properties;
/**
* @Author: wmh
* @Version: 1.0
*/
public class ProductKafkaKerberos {
public static void main(String[] args) {
String filePath = System.getProperty("user.dir") + "\\conf\\";
System.setProperty("java.security.auth.login.config", filePath + "kafka_client_jaas.conf");
System.setProperty("java.security.krb5.conf", filePath + "krb5.conf");
Properties props = new Properties();
props.put("bootstrap.servers", "hdp-1:9092");
props.put("acks", "all");
props.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
props.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer");
// sasl
props.put("jaas.enabled", true);
props.put("sasl.mechanism", "GSSAPI");
props.put("security.protocol", "SASL_PLAINTEXT");
props.put("sasl.kerberos.service.name", "kafka");
Producer producer = new KafkaProducer<>(props);
for (int i = 0; i < 3; i++) {
producer.send(new ProducerRecord("test", Integer.toString(i), Integer.toString(i)));
}
System.out.println("producer is success");
producer.close();
}
}
相关博客:https://www.cnblogs.com/myownswordsman/p/kafka-security-kerberos.html