我试图使用sasl\u ssl和gssapi mecanism保护apachekafka。除了Kafka使用的身份验证名称是“windows 2000之前”格式的名称而不是“标准”的新名称之外,所有的一切都正常工作。
例如,我在active directory中声明了一个新的kafka代理(我忘了说它是windows 10版本……):
用户登录名:kafka/kafka1.myfqdn。com@myfqdn.com
用户登录名(windows 2000以前的版本):假用户1
当我使用这个用户keytab登录kafka时,我在日志中有这样的内容:
[2020-11-21 17:05:50,168] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:09:50,909] INFO [GroupMetadataManager brokerId=1] Removed 0 expired offsets in 0 milliseconds. (kafka.coordinator.group.GroupMetadataManager)
[2020-11-21 17:12:00,672] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:12:00,772] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:12:00,799] DEBUG No acl found for resource ResourcePattern(resourceType=CLUSTER, name=kafka-cluster, patternType=LITERAL), authorized = false (kafka.authorizer.logger)
[2020-11-21 17:12:00,799] INFO Principal = User:FAKE_USER1 is Denied Operation = DescribeConfigs from host = xxx.xxx.xxx.xxx on resource = Cluster:LITERAL:kafka-cluster for request = DescribeConfigs with resourceRefCount = 1 (kafka.authorizer.logger)
当然,最后的denied是正常的,因为我的规则期望从kafka/kafka1.myfqdn中提取“kafka”。com@myfqdn.com 用户。
你能告诉我什么我做得不好吗?
暂无答案!
目前还没有任何答案,快来回答吧!