建议zookeeper和kafka使用同一个认证文件

以下是2.8版本的。3.0版本及以上尚未测试验证

  1. # kafka和zk公用同一个认证
  2. $cat kafka_server_jaas.conf 
  3. KafkaServer {
  4.   org.apache.kafka.common.security.plain.PlainLoginModule required
  5.     username="admin"
  6.     password="zfyx@2022"
  7.     user_admin="zfyx@2022"
  8.     user_producer="zfyx@2022"
  9.     user_consumer="zfyx@2022";
  10. };

https://www.yuque.com/geray-alxoc/bapt5y/npqss5?singleDoc# 《基础镜像》

1、zk

1. 复制启动脚本和配置文件为sasl认证的

  1. cp zookeeper-server-start.sh zookeeper-server-start-sasl.sh
  3. cp zookeeper.properties zookeeper-sasl.properties

2. 认证文件

  1. cat > zk-server-jaas.conf << EOF
  2. Server {
  3.    org.apache.zookeeper.server.auth.DigestLoginModule required
  4.    user_super="admin"
  5.    user_bob="gsww@SJJH!2.0";
  6. };
  7. EOF

3. 启动脚本中添加认证配置

  • 修改zk启动脚本指定认证文件(最后一行中添加认证文件参数)
  1. exec $base_dir/kafka-run-class.sh $EXTRA_ARGS -Djava.security.auth.login.config=/data/kafka-jh/config/zk-server-jaas.conf org.apache.zookeeper.server.quorum.QuorumPeerMain "$@"

4. 修改zk配置文件,添加认证信息

  1. authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
  2. requireClientAuthScheme=sasl
  3. jaasLoginRenew=3600000

5. 启动测试

  1. # 前台启动
  2. ./zookeeper-server-start-sasl.sh ../config/zookeeper-sasl.properties
  4. # 后台启动
  5. ./zookeeper-server-start-sasl.sh -daemon ../config/zookeeper-sasl.properties

2、kafka

1. 复制启动脚本和配置文件为sasl认证

  1. cp kafka-server-start.sh kafka-server-start-sasl.sh
  2. cp server.properties server-sasl.properties

2. 认证文件

  1. cat > kafka-server-jaas.conf << EOF
  2. KafkaServer {
  3.   org.apache.kafka.common.security.plain.PlainLoginModule required
  4.   username="admin"
  5.   password="admin"
  6.   user_admin="admin"
  7.   user_rex="gsww@SJJH!2.0"
  8.   user_alice="gsww@SJJH!2.0"
  9.   user_lucy="gsww@SJJH!2.0";
  10. };
  11. EOF

3. 启动脚本中天剑认证配置

  • 修改kafka启动脚本指定认证文件(最后一行中添加认证文件参数)
  1. exec $base_dir/kafka-run-class.sh $EXTRA_ARGS -Djava.security.auth.login.config=/data/kafka-jh/config/kafka-server-jaas.conf kafka.Kafka "$@"

4. 修改kafka配置文件,添加认证信息

  1. listeners=SASL_PLAINTEXT://localhost:9092
  2. security.inter.broker.protocol=SASL_PLAINTEXT
  3. sasl.enabled.mechanisms=PLAIN
  4. sasl.mechanism.inter.broker.protocol=PLAIN
  5. authorizer.class.name=kafka.security.authorizer.AclAuthorizer
  6. super.users=User:admin

5. 启动测试

  1. # 前台启动
  2. ./bin/kafka-server-start-sasl.sh config/server-sasl.properties 
  4. # 后台启动
  5. ./bin/kafka-server-start-sasl.sh -daemon config/server-sasl.properties

6. 穿件topic测试