kafka开启kerberos

打印 上一主题 下一主题

主题 846|帖子 846|积分 2538

一、基本环境预备


  • 创建票据创建Kerberos主体(Principal):
使用kadmin.local或kadmin命令为Zookeeper和Kafka服务创建Kerberos主体。比方:

留意有几台呆板创建几个

kadmin.local -q "addprinc -randkey zookeeper/dshieldcdh01@HADOOP139.COM"
kadmin.local -q "addprinc -randkey zookeeper/dshieldcdh02@HADOOP139.COM" 
kadmin.local -q "addprinc -randkey zookeeper/dshieldcdh03@HADOOP139.COM"  
kadmin.local -q "addprinc -randkey kafka/dshieldcdh01@HADOOP139.COM"
kadmin.local -q "addprinc -randkey kafka/dshieldcdh02@HADOOP139.COM"
kadmin.local -q "addprinc -randkey kafka/dshieldcdh03@HADOOP139.COM"

  • 验证主体是否创建成功
kadmin.local -q "listprincs"
[root@dshieldcdh02 ~]#  kadmin.local -q "listprincs"
Authenticating as principal root/admin@HADOOP139.COM with password.
K/M@HADOOP139.COM
host/dshieldcdh01@HADOOP139.COM
host/dshieldcdh02@HADOOP139.COM
kadmin/admin@HADOOP139.COM
kadmin/changepw@HADOOP139.COM
kadmin/dshieldcdh02@HADOOP139.COM
kafka/dshieldcdh01@HADOOP139.COM
kafka/dshieldcdh02@HADOOP139.COM
kafka/dshieldcdh03@HADOOP139.COM
kiprop/dshieldcdh02@HADOOP139.COM
krbtgt/HADOOP139.COM@HADOOP139.COM
root/admin@HADOOP139.COM
zookeeper/dshieldcdh01@HADOOP139.COM
zookeeper/dshieldcdh02@HADOOP139.COM
zookeeper/dshieldcdh03@HADOOP139.COM


  • 创建keytab
mkdir /etc/security/keytabs/
kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab kafka/dshieldcdh01@HADOOP139.COM"
kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab kafka/dshieldcdh02@HADOOP139.COM"
kadmin.local -q "xst -k /etc/security/keytabs/kafka.keytab kafka/dshieldcdh03@HADOOP139.COM"

  • 验证KeyTab文件内容:
klist -kt /etc/security/keytabs/zookeeper.keytab 
klist -kt /etc/security/keytabs/kafka.keytab
kinit -kt /etc/security/keytabs/zookeeper.keytab zookeeper/dshieldcdh02@HADOOP139.COM


  • 将keytab文件拷贝到其他两天zookeeper上,需要将keytab文件拷贝过去才可以使用

scp  /etc/security/keytabs/*keytab root@dshieldcdh01:/etc/security/keytabs/                                                                                                                                                                
scp  /etc/security/keytabs/*keytab root@dshieldcdh03:/etc/security/keytabs/


  • 在其他呆板上验证keytab文件可用
kinit -kt /etc/security/keytabs/zookeeper.keytab zookeeper/dshieldcdh01@HADOOP139.COM

二、Zookeeper配置Kerberos



  • 配置Zookeeper的JAAS文件:
在Zookeeper的配置目次下创建JAAS配置文件(如zookeeper_jaas.conf),内容如下:
java
   Server { 
    com.sun.security.auth.module.Krb5LoginModule required 
    useKeyTab=true 
    storeKey=true 
    keyTab="/etc/security/keytabs/zookeeper.keytab" 
    principal="zookeeper/dshieldcdh01@HADOOP139.COM" 
    useTicketCache=false; 
  }; 
  Client { 
    com.sun.security.auth.module.Krb5LoginModule required 
    useKeyTab=true 
    storeKey=true 
    keyTab="/etc/security/keytabs/zookeeper.keytab" 
    principal="zookeeper/dshieldcdh01@HADOOP139.COM" 
    useTicketCache=false; 
  };
  留意修改principal和keyTab路径以匹配现实环境。
在Zookeeper的启动脚本中添加JVM参数,指定JAAS配置文件的路径。
配置zookeeper的kerberos验证,切换到配置文件目次下cd conf,添加zoo.cfg配置文件,cp zoo_sample.cfg zoo.cfg打开zoo.cfg配置文件,添加配置,修改Zookeeper的配置文件cat zoo.cfg 启用SASL认证,并指定认证提供者。
   authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
  jaasLoginRenew=3600000
  kerberos.removeHostFromPrincipal=true
  kerberos.removeRealmFromPrincipal=true
  export JVMFLAGS="-Djava.security.auth.login.config= /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf"




scp /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf root@dshieldcdh02:/usr/local/apache-zookeeper-3.6.4/conf     
scp /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf root@dshieldcdh03:/usr/local/apache-zookeeper-3.6.4/conf
[root@dshieldcdh03 ~]# cat /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_jaas.conf
   Server {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  useTicketCache=false
  keyTab="/etc/security/keytabs/zookeeper.keytab"
  principal="zookeeper/dshieldcdh03@HADOOP139.COM";
  };
  



cat /usr/local/apache-zookeeper-3.6.4/conf/zookeeper_client_jaas.conf
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/usr/local/apacje-zookeeper-3.6.4/conf/zk.service.keytab"
principal="zookeeper/dshieldcdh03@HADOOP139.COM";
};



三、Kafka配置Kerberos
将kafka用户的keytab文件拷贝到其他服务器上
scp /etc/security/keytabs/kafka.keytab root@ dshieldcdh02:/etc/security/keytabs/kafka.keytab
配置Kafka的JAAS文件:
在Kafka的配置目次下创建JAAS配置文件(如kafka_client_jaas.conf),内容如下:
kafka_client_jaas.conf
KafkaServer {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/etc/security/keytabs/kafka.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="kafka"
        principal="kafka/dshieldcdh01@HADOOP139.COM";
        };
        KafkaClient {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/etc/security/keytabs/kafka.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="kafka"
        principal="kafka/dshieldcdh01@HADOOP139.COM";
        };
        Client {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/etc/security/keytabs/zookeeper.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="zookeeper"
        principal=" zookeeper/dshieldcdh01@HADOOP139.COM";
        };
        com.sun.security.jgss.krb5.initiate {
        com.sun.security.auth.module.Krb5LoginModule required
        renewTGT=false
        doNotPrompt=true
        useKeyTab=true
        keyTab="/etc/security/keytabs/kafka.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="kafka"
        principal="kafka/dshieldcdh01@HADOOP139.COM";
        };

kafka_server_jaas.conf
KafkaServer {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/etc/security/keytabs/kafka.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="kafka"
        principal="kafka/dshieldcdh01@HADOOP139.COM";
        };
        KafkaClient {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/etc/security/keytabs/kafka.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="kafka"
        principal="kafka/dshieldcdh01@HADOOP139.COM";
        };
        Client {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        keyTab="/etc/security/keytabs/zookeeper.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="zookeeper"
        principal=" zookeeper/dshieldcdh01@HADOOP139.COM";
        };
        com.sun.security.jgss.krb5.initiate {
        com.sun.security.auth.module.Krb5LoginModule required
        renewTGT=false
        doNotPrompt=true
        useKeyTab=true
        keyTab="/etc/security/keytabs/kafka.keytab"
        storeKey=true
        useTicketCache=false
        serviceName="kafka"
        principal="kafka/dshieldcdh01@HADOOP139.COM";
        };

留意修改principal、keyTab路径和serviceName以匹配现实环境。
修改Kafka的启动脚本:
在Kafka的启动脚本中添加JVM参数,指定JAAS配置文件的路径。
cat kafka_client_jaas.conf
kafkaClient {
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
storeKey=true
serviceName=kafka
        keyTab="/etc/security/keytabs/kafka.keytab"
        principal="kafka/dshieldcdh01@HADOOP139.COM";
};
cat server.properties
broker.id=1
hostname=dshieldcdh01
listerners=SASL_PLAINTEXT://dshieldcdh01:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms= GSSAPI
sasl.kerberos.service.name=kaka
zookeeper.connect=dshieldcdh01:2181, dshieldcdh02:2181, dshieldcdh03:2181
zookeeper.set.acl=true
zookeeper.connection.timeout.ms=18000

[kafka@dshieldcdh01 config]$ pwd
/usr/local/kafka/config
[kafka@dshieldcdh01 config]$ scp kafka_jaas.conf dshieldcdh02:/usr/local/kafka/config
scp kafka_jaas.conf dshieldcdh03:/usr/local/kafka/config


#kerberos
listeners=SASL_PLAINTEXT://ambarim2:9092
advertised.listeners=SASL_PLAINTEXT://ambarim2:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
principal.to.local.class=kafka.security.auth.KerberosPrincipalToLocal
isasl.enabled.mechanisms=GSSAPI
zookeeper.connect=dshieldcdh01:2181,dshieldcdh02:2181,dshieldcdh03:2181

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
回复

使用道具 举报

0 个回复

倒序浏览

快速回复

您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

卖不甜枣

金牌会员
这个人很懒什么都没写!

标签云

快速回复 返回顶部 返回列表