配置 kafka_server_jaas.conf 以支持多个监听器。

huangapple
go评论61阅读模式
英文:

Configure kafka_server_jaas.conf for multiple listeners

问题

我正在尝试迁移到将我的SASL身份验证从server.properties文件中移出,而是放到我的kafka_server_jaas.conf文件中。但是,我有点困惑,因为server.properties中使用的设置似乎不对应于kafka_server_jaas.conf中使用的设置。

以下是现有的设置。
server.properties:

listener.security.protocol.map=EXTERNAL_SASL:SASL_SSL,INTERNAL:SASL_SSL,EXTERNAL_SSL:SSL,EXTERNAL_PLAINTEXT:PLAINTEXT
listeners=EXTERNAL_SASL://:9094,INTERNAL://:9091,EXTERNAL_SSL://:9093,EXTERNAL_PLAINTEXT://:9092
advertised.listeners=OMITTED

listener.name.external_sasl.sasl.enabled.mechanisms=PLAIN
listener.name.external_sasl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="broker-admin" password="xx" \
user_admin="xx"\
user_broker="xx";

listener.name.internal.sasl.enabled.mechanisms=PLAIN
listener.name.internal_sasl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="broker-admin" password="xx" \
user_admin="xx"\
user_broker="xx";

这按照我的预期工作。我可以使用server.properties文件中的凭据与集群进行交互。

在配置kafka_server_jaas.conf时,所有示例都指示我的配置应如下所示:

KafkaServer {        
org.apache.kafka.common.security.plain.PlainLoginModule required 
username="broker-admin" password="xx"
user_admin="xx"
user_broker="xx";
};

这引发了我的问题,我不需要指定kafka_server_jaas.conf应该使用哪个侦听器(external_sasl或internal)吗?对我来说,配置应该是:

KafkaServer {        
listener.name.external_sasl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required 
username="broker-admin" password="xx"
user_admin="xx"
user_broker="xx";
};

但这不起作用。

有人能指出我漏掉了什么吗?

英文:

I am trying to migrate away from keeping my SASL authentication within my server.properties file and instead in my kafka_server_jaas.conf file. However I am getting slightly confused as the settings used in server.properties do not seem to map to the settings used in kafka_server_jaas.conf.

Here is the existing setup.
server.properties:

listener.security.protocol.map=EXTERNAL_SASL:SASL_SSL,INTERNAL:SASL_SSL,EXTERNAL_SSL:SSL,EXTERNAL_PLAINTEXT:PLAINTEXT
listeners=EXTERNAL_SASL://:9094,INTERNAL://:9091,EXTERNAL_SSL://:9093,EXTERNAL_PLAINTEXT://:9092
advertised.listeners=OMITTED

listener.name.external_sasl.sasl.enabled.mechanisms=PLAIN
listener.name.external_sasl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="broker-admin" password="xx" \
user_admin="xx"\
user_broker="xx";

listener.name.internal.sasl.enabled.mechanisms=PLAIN
listener.name.internal_sasl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="broker-admin" password="xx" \
user_admin="xx"\
user_broker="xx";

This works as I would expect. I am able to interact with the cluster using the credentials in the server.properties file.

When configuring kafka_server_jaas.conf all of the examples indicate that my config needs to look like this:

KafkaServer {        
org.apache.kafka.common.security.plain.PlainLoginModule required 
username="broker-admin" password="xx"
user_admin="xx"
user_broker="xx";
};

This leads to my question, do I not need to specify which listener (external_sasl or internal) that kafka_server_jaas.conf should use? To me, the config should be:

KafkaServer {        
listener.name.external_sasl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required 
username="broker-admin" password="xx"
user_admin="xx"
user_broker="xx";
};

But this does not work.

Is anyone able to point out what I am missing here?

答案1

得分: 1

我能找到这个答案:

kafka_server_jaas.conf文件中指定监听的正确配置如下:

external_sasl.KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="broker-admin" password="xx"
    user_admin="xx"
    user_broker="xx";
};

internal.KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="broker-admin" password="xx"
    user_admin="xx"
    user_broker="xx";
};
英文:

I was able to find the answer to this:

The correct configuration for specifying the listen in the kafka_server_jaas.conf file is:

external_sasl.KafkaServer {        
org.apache.kafka.common.security.plain.PlainLoginModule required 
username="broker-admin" password="xx"
user_admin="xx"
user_broker="xx";
};

internal.KafkaServer {        
org.apache.kafka.common.security.plain.PlainLoginModule required 
username="broker-admin" password="xx"
user_admin="xx"
user_broker="xx";
};

huangapple
  • 本文由 发表于 2023年8月4日 05:47:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/76831783.html
  • apache-kafka
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定