如何阻止未经授权的用户创建/删除Kafka主题?

zphenhs4  于 2021-06-06  发布在  Kafka
关注(0)|答案(1)|浏览(373)

我用sasl+acl和kafka设置了kafka和zookeeper身份验证,并通过ssl双向身份验证(包括加密)将其发送给生产者和消费者。
通过在kafka和zookeeper之间启用sasl和acl,它不允许未经授权的kafka代理登录zookeeper集群。但是,主题的创建和删除可以不受任何限制地完成。
zookeeper.properties属性

dataDir=/x02/lsesv2-s/data/Zookeeper

clientPort=15300

tickTime=2000

initLimit=10

syncLimit=5

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

requireClientAuthScheme=sasl

jaasLoginRenew=3600000

quorum.auth.enableSasl=true

quorum.auth.learnerRequireSasl=true

quorum.auth.serverRequireSasl=true

quorum.auth.learner.loginContext=QuorumLearner

quorum.auth.server.loginContext=QuorumServer

server.1=172.25.33.12:15302:15301
server.2=172.25.33.13:15302:15301
server.3=172.25.33.11:15302:15301

zookeeper\ u jaas.conf文件

Server {
        org.apache.zookeeper.server.auth.DigestLoginModule required
        username="admin"
        password="abc123"
        user_admin="abc123";
};

QuorumServer {
        org.apache.zookeeper.server.auth.DigestLoginModule required
        user_admin="abc123";
};

QuorumLearner {
        org.apache.zookeeper.server.auth.DigestLoginModule required
        username="admin"
        password="abc123";
};

按以下代码设置acl

final CountDownLatch connectedSignal = new CountDownLatch(1);
        String connect = "localhost:15300";
        ZooKeeper zooKeeper = null;

        try
        {
            String userName = "admin";
            String password = "mit123";

            zooKeeper = new ZooKeeper(connect, 5000, we ->
            {
                if (we.getState() == Watcher.Event.KeeperState.SyncConnected)
                {
                    connectedSignal.countDown();
                }
            });

            connectedSignal.await();

            zooKeeper.addAuthInfo("digest", (userName + ":" + password).getBytes());

            final String aclString = "auth:" + userName + ":" + password + ":" + "cdrwa" + 
            ",sasl:" + userName + ":" + "cdrwa";

            zooKeeper.setACL("/", parseACLs(aclString), -1);

        } finally
        {
            if (zooKeeper != null)
            {
                zooKeeper.close();
            }
        }

上面的代码正在工作,下面是执行代码后的结果。

Welcome to ZooKeeper!
JLine support is disabled

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
getAcl /
'sasl,'admin
: cdrwa
'digest,'admin:oiasY+rmnmmK9mec8kpnvv281HE=
: cdrwa

在启动时,我替代了server.properties文件覆盖了kafka属性*
Kafka酒店

kafka/bin/kafka-server-start.sh /x02/lsesv2-s/current/kafka/config/server.properties 
--override broker.id=1 
--override zookeeper.connect=10g-flton-onl01:15300,10g-flton-onl02:15300,10g-flton-nor02:15300 
--override num.network.threads=16 
--override num.io.threads=16 
--override socket.send.buffer.bytes=10240000
--override socket.receive.buffer.bytes=10240000 
--override log.dirs=/x02/lsesv2-s/data/Kafka 
--override offsets.topic.replication.factor=1 
--override min.insync.replicas=1 
--override inter.broker.listener.name=INTERNAL 
--override listeners=INTERNAL://10g-flton-onl01:15307 
--override advertised.listeners=INTERNAL://10g-flton-onl01:15307 
--override listener.security.protocol.map=INTERNAL:SSL 
--override security.protocol=SSL 
--override ssl.client.auth=required 
--override ssl.key.password=abc123 
--override ssl.keystore.location=configs/MHV/kafka.server.keystore.jks 
--override ssl.keystore.password=abc123 
--override ssl.truststore.location=configs/MHV/kafka.server.truststore.jks 
--override ssl.truststore.password=abc123 
--override ssl.endpoint.identification.algorithm=

Kafka到生产者/消费者的认证工作正常,zookeeper到Kafka的认证工作正常。但是,主题的创建和删除也可以由未经授权的用户完成。
主题创建

kafka/bin/kafka-topics.sh --create --zookeeper localhost:15300 --replication-factor 3 --partitions 8 --topic test

主题删除

kafka/bin/kafka-topics.sh --zookeeper localhost:15300 --delete --topic test

注意:在创建或删除主题时,我没有设置-djava.security.auth.login.config=kafka\u server\u jaas.conf。所以这个操作应该受到限制。但事实上,事实并非如此。
帮助我仅为授权用户创建和删除主题。

daolsyd0

daolsyd01#

这似乎是本地测试所必需的属性。

KAFKA_ZOOKEEPER_SET_ACL: "true"

对于合流的图像或Map也直接。

zookeeper.set.acl

参考
也如Kafka101汇合处所述
zookeeper中存储的元数据只有代理才能修改相应的znode,但是znode是世界可读的。 
因为我们将zookeeper配置为需要sasl身份验证,所以在启动kafka topics工具时需要设置java.security.auth.login.config系统属性:
这里显示了一个代码示例和docker compose文件

相关问题