Kafka安全实施问题SASL SSL和SCRAM

hpxqektj  于 2023-06-28  发布在  Apache
关注(0)|答案(2)|浏览(209)

我在启动Kafka服务器时遇到了错误,已经设置了SSL,它在kafka 3代理中工作正常。zookeeper也设置了SSL
现在尝试从服务器属性文件中为Kafka broker设置SASL_SSL的SCRAM。
我用以下命令创建了一个用户

kafka-configs.sh --zookeeper localhost:2182 --zk-tls-config-file zookeeper-client.properties --entity-type users --entity-name broker-admin --alter --add-config 'SCRAM-SHA-512=[password=DEM123]'

我可以看到用户被创建。
但是在尝试运行命令来运行Kafka broker时

kafka-server-start.sh -daemon server-0.properties

当我检查server.log文件时,它出现了一些错误

[2021-10-05 16:21:38,369] ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)

org.apache.zookeeper.KeeperException$NoAuthException:KeeperErrorCode = NoAuth for /config/users/broker-admin
有人能支持我吗?
让我共享我zookeeper.proerpties文件

dataDir=/var/www/kafka/data/zookeeper
clientPort=2181
secureClientPort=2182
authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.trustStore.location=/var/www/kafka/ssl/kafka.zookeeper.truststore.jks
ssl.trustStore.password=zookeepbook
ssl.keyStore.location=/var/www/kafka/ssl/kafka.zookeeper.keystore.jks
ssl.keyStore.password=zookeepbook
ssl.clientAuth=need
maxClientCnxns=0
admin.enableServer=true
admin.serverPort=9090
server.1=localhost:2888:3888

server.properties 文件内容:

broker.id=0
listeners=SASL_SSL://localhost:9092
advertised.listeners=SASL_SSL://localhost:9092
zookeeper.connect=localhost:2182
log.dirs=/var/www/kafka/data/broker-0
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
num.partitions=3
num.recovery.threads.per.data.dir=1
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
log.retention.hours=168
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connection.timeout.ms=18000
group.initial.rebalance.delay.ms=0

zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.protocol=TLSv1.2

zookeeper.ssl.truststore.location=/var/www/kafka/ssl/kafka.broker-0.truststore.jks
zookeeper.ssl.truststore.password=zookeepbookbrk0
zookeeper.ssl.keystore.location=/var/www/kafka/ssl/kafka.broker-0.keystore.jks
zookeeper.ssl.keystore.password=zookeepbookbrk0

zookeeper.set.acl=true

ssl.truststore.location=/var/www/kafka/ssl/kafka.broker-0.truststore.jks
ssl.truststore.password=zookeepbookbrk0
ssl.keystore.location=/var/www/kafka/ssl/kafka.broker-0.keystore.jks
ssl.keystore.password=zookeepbookbrk0
ssl.key.password=zookeepbookbrk0
security.inter.broker.protocol=SASL_SSL
ssl.client.auth=none
ssl.protocol=TLSv1.2

sasl.enabled.mechanisms=SCRAM-SHA-512
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
listener.name.sasl_ssl.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username='broker-admin' password=DEM123;
super.users=User:broker-admin
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
dgtucam1

dgtucam11#

你可以尝试设置'skipACL=yes'到你的zookeeper.properties吗?如果你在创建'broker-admin'用户时使用SSL客户端证书与Zookeeper进行身份验证,我认为这是因为从执行命令的地方以外的访问被拒绝了。

ryoqjall

ryoqjall2#

我也面临着同样的问题。现在修好了
我遇到这个问题是因为,我用一些特定的用户凭证设置了Kafka和ZK,后来我改变了它,所以我得到了这个错误
org.apache.zookeeper.KeeperException$NoAuthException:KeeperErrorCode = /config/users/old-user-name的NoAuth
因此,重新启动Kafka Server应该可以解决这个问题。
如果这不起作用,请尝试重新启动整个机器。(如果这起作用,您之前没有正确重启Kafka服务器)。

相关问题