kafka开启Kerberos

九月1年前 (2023-08-07)技术文章453

1、修改server.properties

#增加如下配置
listeners=SASL_PLAINTEXT://IP:port
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka

2、修改consumer.properties

security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka

3、修改producer.properties

security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka

4、增加client.properties

security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka

5、在config下增加kafka_jaas.conf

KafkaServer{
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        storeKey=true
        serviceName="kafka"
        keyTab="/data/kerberos/kafka.keytab"
        principal="kafka/dtstack@DTSTACK.COM";
};
KafkaClient{
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        storeKey=true
        serviceName="kafka"
        keyTab="/data/kerberos/kafka.keytab"
        principal="kafka/dtstack@DTSTACK.COM"
        userTicketCache=false;
};
Client{
        com.sun.security.auth.module.Krb5LoginModule required
        useKeyTab=true
        storeKey=true
        serviceName="kafka"
        keyTab="/data/kerberos/kafka.keytab"
        principal="kafka/dtstack@DTSTACK.COM"
        userTicketCache=false;
};

6、修改启动脚本 kafka-server-start.sh，增加krb5文件和kafka_jaas.conf文件

export KAFKA_OPTS="-javaagent:./libs/jmx_prometheus_javaagent-0.11.0.jar=9525:./prometheus/kafka.yml -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=./config/kafka_jaas.conf"

if [ $# -lt 1 ];
then
echo "USAGE: $0 [-daemon] server.properties [--override property=value]*"
exit 1
fi
base_dir=$(dirname $0)

if [ "x$KAFKA_LOG4J_OPTS" = "x" ]; then
export KAFKA_LOG4J_OPTS="-Dlog4j.configuration=file:$base_dir/../config/log4j.properties"
fi

if [ "x$KAFKA_HEAP_OPTS" = "x" ]; then
export KAFKA_HEAP_OPTS="-Xmx1G -Xms1G"
fi

EXTRA_ARGS=${EXTRA_ARGS-'-name kafkaServer -loggc'}

COMMAND=$1
case $COMMAND in
-daemon)
EXTRA_ARGS="-daemon "$EXTRA_ARGS
shift
;;
*)
;;
esac
#export JMX_PORT="9524"
export KAFKA_OPTS="-javaagent:./libs/jmx_prometheus_javaagent-0.11.0.jar=9525:./prometheus/kafka.yml -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=./config/kafka_jaas.conf"

exec $base_dir/kafka-run-class.sh $EXTRA_ARGS kafka.Kafka "$@"

7、修改脚本文件

修改kafka-topic.sh/kafka-console-consumer.sh/kafka-console-producer.sh文件，同样增加krb5文件和kafka_jaas.conf文件

#在文件首行添加或者在exec前进行配置。
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/opt/dtstack/Kafka/kafka/config/kafka_jaas.conf"

8、em页面重新启动kafka

9、创建测试topic进行冒烟测试

./kafka-topics.sh --create --zookeeper zkip1:port,zkip2:port,zkip3:port --replication-factor 1 --partitions 3  --topic test --command-config /opt/dtstack/Kafka/kafka/config/client.properties

./kafka-console-producer.sh --broker-list  broker1:9092,broker2:9092,broker3:9092  --topic test --producer.config /opt/dtstack/Kafka/kafka/config/producer.properties

./kafka-console-consumer.sh --bootstrap-server broker1:9092,broker2:9092,broker3:9092 --topic test --from-beginning --consumer.config  /opt/dtstack/Kafka/kafka/config/consumer.properties

标签: kafka