apt-get install krb5-admin-server krb5-kdc krb5-user krb5-config
systemctl status krb5-admin-server
systemctl status krb5-kdc
systemctl start krb5-admin-server
systemctl startkrb5-kdc
default_realm = CECGW.CN
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
CECGW.CN = {
kdc = ubuntu
admin_server = ubuntu
}
创建数据库
cd /etc/krb5kdc
kdb5_util create -r CECGW.CN -s
输入俩次数据库密码
创建用户principal
kadmin.local
add_principal oneandonly/[email protected]
输入俩次密码 oneandonly/[email protected]
导出文件
xst -k oneandonly.keytab -norandkey oneandonly/[email protected]
验证登录,使用密钥登录.
root@ubuntu:/opt/kafka/kafka_2.13-3.6.1# kinit -kt oneandonly.keytab oneandonly/kerberos
root@ubuntu:/opt/kafka/kafka_2.13-3.6.1# klist
root@ubuntu:/opt/kafka/kafka_2.13-3.6.1# kdestroy
root@ubuntu:/opt/kafka/kafka_2.13-3.6.1# klist
kadmin.local
kadmin.local: add_principal -randkey kafka-server/[email protected]
kadmin.local: add_principal -randkey [email protected]
kadmin.local: xst -k /root/kafka-server.keytab kafka-server/[email protected]
kadmin.local: xst -k /root/kafka-client.keytab [email protected]
listeners=SASL_PLAINTEXT://ubuntu:9092
advertised.listeners=SASL_PLAINTEXT://ubuntu:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka-server
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/opt/kafka/kafka_2.13-3.6.1/config/kerberos/kafka-server.keytab"
storeKey=true
useTicketCache=false
principal="kafka-server/[email protected]";
};
复制 bin/kafka-server-start.sh 脚本重命名为 bin/kafka-server-start-sasl.sh,倒数第二行增加如下配置
export KAFKA_OPTS="-Dzookeeper.sasl.client=false -Dzookeeper.sasl.client.username=zk-server -Djava.security.krb5.conf=/opt/kafka/kafka_2.13-3.6.1/config/kerberos/krb5.conf -Djava.security.auth.login.config=/opt/kafka/kafka_2.13-3.6.1/config/kerberos/kafka-server-jaas.conf"
.新建 kafka-client-jaas.conf 文件,该文件也放到 Kafka 的 config/kerberos 目录下。
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka-server
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/opt/kafka/kafka_2.13-3.6.1/config/kerberos/kafka-client.keytab"
storeKey=true
useTicketCache=false
principal="[email protected]";
};
export KAFKA_OPTS="-Djava.security.krb5.conf=/opt/kafka/kafka_2.13-3.6.1/config/kerberos/krb5.conf -Djava.security.auth.login.config=/opt/kafka/kafka_2.13-3.6.1/config/kerberos/kafka-client-jaas.conf"
cd /opt/kafka/kafka_2.13-3.6.1
nohup bin/zookeeper-server-start.sh config/zookeeper.properties > /dev/null 2>&1 &
./bin/kafka-server-start-sasl.sh -daemon config/server-sasl.properties
./bin/kafka-topics-sasl.sh --list --bootstrap-server ubuntu:9092 --command-config config/kerberos/client.pr
operties
bin/kafka-topics-sasl.sh --create --bootstrap-server ubuntu:9092 --replication-factor 1 --partitions 1 --topic your_topic_name --command-config config/kerberos/client.properties
./bin/kafka-console-producer-sasl.sh --broker-list ubuntu:9092 --topic your_topic_name --producer.config config/kerberos/client.properties
./bin/kafka-console-consumer-sasl.sh --bootstrap-server ubuntu:9092 --topic your_topic_name --from-beginning --consumer.config config/kerberos/client.properties