kafka启用Kerberos认证
kafka启用Kerberos认证1.环境准备1.1.建用户创建用户组ywjk groupadd ywjk新增用户useradd -g ywjk ywjk设置密码passwd ywjk1.2.上传kafk压缩包从官网下载kafka压缩包,这里用的是kafka_2.11-0.10.2.2.tgz上传kafka压缩包,利用git客户端从windows客户端上传至每台linux主机,传至/home/yw
·
kafka启用Kerberos认证
1.环境准备
1.1.建用户
创建用户组 ywjk groupadd ywjk
新增用户 useradd -g ywjk ywjk
设置密码 passwd ywjk
1.2.上传kafk压缩包
从官网下载kafka压缩包,这里用的是kafka_2.11-0.10.2.2.tgz
上传kafka压缩包,利用git客户端从windows客户端上传至每台linux主机,传至/home/ywjk目录下面
scp -r ./kafka_2.11-0.10.2.2.tgz ywjk@192.168.1.96:/home/ywjk
scp -r ./kafka_2.11-0.10.2.2.tgz ywjk@192.168.1.97:/home/ywjk
scp -r ./kafka_2.11-0.10.2.2.tgz ywjk@192.168.1.98:/home/ywjk
Administrator@DESKTOP-QD6V450 MINGW64 /e/workspace/soft
$ ll
total 37160
-rw-r--r-- 1 Administrator 197121 38048170 12月 28 10:25 kafka_2.11-0.10.2.2.tgz
Administrator@DESKTOP-QD6V450 MINGW64 /e/workspace/soft
$ scp -r ./kafka_2.11-0.10.2.2.tgz ywjk@192.168.1.96:/home/ywjk
ywjk@192.168.1.96's password:
kafka_2.11-0.10.2.2.tgz 100% 36MB 4.4MB/s 00:08
Administrator@DESKTOP-QD6V450 MINGW64 /e/workspace/soft
$ scp -r ./kafka_2.11-0.10.2.2.tgz ywjk@192.168.1.97:/home/ywjk
The authenticity of host '192.168.1.97 (192.168.1.97)' can't be established.
ECDSA key fingerprint is SHA256:4jriaM+47zOyv+In1m2ndnYAZt5sXfYHE2Wo9S7jEqE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.97' (ECDSA) to the list of known hosts.
ywjk@192.168.1.97's password:
kafka_2.11-0.10.2.2.tgz 100% 36MB 5.0MB/s 00:07
Administrator@DESKTOP-QD6V450 MINGW64 /e/workspace/soft
$ scp -r ./kafka_2.11-0.10.2.2.tgz ywjk@192.168.1.98:/home/ywjk
The authenticity of host '192.168.1.98 (192.168.1.98)' can't be established.
ECDSA key fingerprint is SHA256:sLwxbrt8Gq/43E2nW9q0iEwDJKuALl9cwFQrv3yCqxE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.98' (ECDSA) to the list of known hosts.
ywjk@192.168.1.98's password:
kafka_2.11-0.10.2.2.tgz
在每台机器上面解压
tar -zvxf ./kafka_2.11-0.10.2.2.tgz
2.Kerbersoe安装
三台机器信息如下:
192.168.1.96 KDC Server hrxjb1.tcloudata.com
192.168.1.97 Client hrxjb2.tcloudata.com
192.168.1.98 Client hrxjb3.tcloudata.com
2.1.服务器安装
在KDC Server安装服务端
可以在这机器中192.168.1.96建立yum源,/etc/yum.repos.d/cdrom.repo 仓库配置如下:
[cdrom]
name=cdrom
baseurl=http://hrxjb1.tcloudata.com/centos
enabled=1
gpgcheck=0
yum -y install krb5-server krb5-libs krb5-workstation
会生成 kerberos配置文件
ll /var/kerberos/krb5kdc/
[ywjk@hrxjb1 root]$ ll /var/kerberos/krb5kdc/
total 24
-rw------- 1 root root 24 Dec 28 13:41 kadm5.acl
-rw------- 1 root root 451 Sep 30 21:21 kdc.conf
-rw------- 1 root root 8192 Dec 28 14:25 principal
-rw------- 1 root root 8192 Dec 28 13:42 principal.kadm5
-rw------- 1 root root 0 Dec 28 13:42 principal.kadm5.lock
-rw------- 1 root root 0 Dec 28 14:25 principal.ok
2.2.修改配置文件
2.2.1. krb5.conf
/etc/krb5.conf
把krb5.conf复制至其它客户端机器(192.168.1.97、192.168.1.98)
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = TCLOUDATA.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
TCLOUDATA.COM = {
kdc = hrxjb1.tcloudata.com
admin_server = hrxjb1.tcloudata.com
[domain_realm]
.tcloudata.com = TCLOUDATA.COM
tcloudata.com = TCLOUDATA.COM
2.2.2. kadm5.acl
cat /var/kerberos/krb5kdc/kadm5.acl
[root@hrxjb1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@TCLOUDATA.COM *
配置说明
Kadm5.acl文件域名要跟 /etc/krb5.conf.d/中的 realms 配置节一致
2.2.3.初始化KDC数据库
kdb5_util create -r TCLOUDATA.COM -s
2.3.启动服务
2.3.1.启动kdc服务
systemctl status krb5kdc 查看状态状态为 inactive(dead)
[root@hrxjb1 ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: inactive (dead)
systemctl start krb5kdc
[root@hrxjb1 ~]# systemctl start krb5kdc
[root@hrxjb1 ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2020-12-28 18:00:31 CST; 1s ago
Process: 26940 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
Main PID: 26941 (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─26941 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
Dec 28 18:00:31 hrxjb1.tcloudata.com systemd[1]: Starting Kerberos 5 KDC...
Dec 28 18:00:31 hrxjb1.tcloudata.com systemd[1]: Started Kerberos 5 KDC.
2.3.2.启动kadmin服务
systemctl status kadmin
[root@hrxjb1 ~]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: inactive (dead)
systemctl start kadmin
[root@hrxjb1 ~]# systemctl start kadmin
[root@hrxjb1 ~]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2020-12-28 18:01:50 CST; 2s ago
Process: 27080 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=0/SUCCESS)
Main PID: 27081 (kadmind)
CGroup: /system.slice/kadmin.service
└─27081 /usr/sbin/kadmind -P /var/run/kadmind.pid
Dec 28 18:01:50 hrxjb1.tcloudata.com systemd[1]: Starting Kerberos 5 Password-changing and Administration...
Dec 28 18:01:50 hrxjb1.tcloudata.com systemd[1]: Started Kerberos 5 Password-changing and Administration.
2.4.client安装
在每台节点机上执行(192.168.1.97和192.168.1.98)
yum -y install krb5-workstation
2.5.生成密钥文件
kafka的生成随机密码
addprinc -randkey kafka/hrxjb1.tcloudata.com@TCLOUDATA.COM
addprinc -randkey kafka/hrxjb2.tcloudata.com@TCLOUDATA.COM
addprinc -randkey kafka/hrxjb3.tcloudata.com@TCLOUDATA.COM
加入至密钥文件
ktadd -k /etc/security/keytabs/kafka1.keytab kafka/hrxjb1.tcloudata.com@TCLOUDATA.COM
ktadd -k /etc/security/keytabs/kafka2.keytab kafka/hrxjb2.tcloudata.com@TCLOUDATA.COM
ktadd -k /etc/security/keytabs/kafka3.keytab kafka/hrxjb3.tcloudata.com@TCLOUDATA.COM
zookeeper的生成随机密码
addprinc -randkey zookeeper/hrxjb1.tcloudata.com@TCLOUDATA.COM
addprinc -randkey zookeeper/hrxjb2.tcloudata.com@TCLOUDATA.COM
addprinc -randkey zookeeper/hrxjb3.tcloudata.com@TCLOUDATA.COM
加入至密钥文件
ktadd -k /etc/security/keytabs/kafka1.keytab zookeeper/hrxjb1.tcloudata.com@TCLOUDATA.COM
ktadd -k /etc/security/keytabs/kafka2.keytab zookeeper/hrxjb2.tcloudata.com@TCLOUDATA.COM
ktadd -k /etc/security/keytabs/kafka3.keytab zookeeper/hrxjb3.tcloudata.com@TCLOUDATA.COM
利用klist查看添加的用户
klist -ket /etc/security/keytabs/kafka1.keytab
klist -ket /etc/security/keytabs/kafka1.keytab
klist -ket /etc/security/keytabs/kafka1.keytab
把 /etc/security/keytabs/kafka_server.keytab 拷贝至客户端对应的目录
cp -r /etc/security/keytabs/kafka1.keytab /etc/security/keytabs/kafka.keytab
scp -r /etc/security/keytabs/kafka2.keytab root@192.168.1.97:/etc/security/keytabs/kafka.keytab
scp -r /etc/security/keytabs/kafka3.keytab root@192.168.1.98:/etc/security/keytabs/kafka.keytab
3.安装kafka+zookeeper
3.1.配置zookeeper
3.1.1.创建zookeeper 使用的 zookeeper.jaas
三台机器的zookeeper.jaas,要注意principal与/etc/security/keytabs/kafka.keytab里面的用户相对应
以192.168.1.96为例
cat /home/ywjk/kafka_2.11-0.10.2.2/config/zookeeper.jaas
Server{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka.keytab"
#这里要注意每台机器的/etc/security/keytabs/kafka.keytab是否包含如下用户名
principal="zookeeper/hrxjb1.tcloudata.com@TCLOUDATA.COM"
userTicketCache=false;
};
3.1.2. zookeeper配置文件
加入如下配置:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
3.1.3.修改zookeeper启动脚本
在zookeeper启动脚本中加入
/home/ywjk/kafka_2.11-0.10.2.2/bin/zookeeper-server-start.sh
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/home/ywjk/kafka_2.11-0.10.2.2/config/zookeeper.jaas"
3.2.配置kafka
3.2.1.创建kafka 的kafka.jaas
cat /home/ywjk/kafka_2.11-0.10.2.2/config/kafka.jaas
KafkaServer{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
serviceName="kafka"
keyTab="/etc/security/keytabs/kafka.keytab"
principal="kafka/hrxjb1.tcloudata.com@TCLOUDATA.COM";
};
KafkaClient{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
serviceName="kafka"
keyTab="/etc/security/keytabs/kafka.keytab"
principal="kafka/hrxjb1.tcloudata.com@TCLOUDATA.COM"
userTicketCache=true;
};
Client{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
serviceName="kafka"
keyTab="/etc/security/keytabs/kafka.keytab"
principal="kafka/hrxjb1.tcloudata.com@TCLOUDATA.COM"
userTicketCache=true;
};
3.2.2.配置kafka的 server.properties
cat /home/ywjk/kafka_2.11-0.10.2.2/config/server.properties
在server.properties文件中加入
zookeeper.connect=hrxjb1.tcloudata.com:2182,hrxjb2.tcloudata.com:2182,hrxjb3.tcloudata.com:2182
listeners=SASL_PLAINTEXT://192.168.1.96:9092
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka
3.2.3.修改kafa启动脚本
kafka启动脚本中加入
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/home/ywjk/kafka_2.11-0.10.2.2/config/kafka.jaas"
3.3. 启动zookeeper
/home/ywjk/kafka_2.11-0.10.2.2/bin/zookeeper-server-start.sh -daemon /home/ywjk/kafka_2.11-0.10.2.2/config/zookeeper.properties
3.4. 启动kafka
/home/ywjk/kafka_2.11-0.10.2.2/bin/kafka-server-start.sh -daemon /home/ywjk/kafka_2.11-0.10.2.2/config/server.properties
3.5.测试kafka
3.5.1.创建topic
在/home/ywjk/kafka_2.11-0.10.2.2/bin/kafka-topics.sh
/home/ywjk/kafka_2.11-0.10.2.2/bin/kafka-console-consumer.sh
/home/ywjk/kafka_2.11-0.10.2.2/bin/kafka-console-producer.sh
加入
export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/home/ywjk/kafka_2.11-0.10.2.2/config/kafka.jaas"
/home/ywjk/kafka_2.11-0.10.2.2/bin/kafka-topics.sh --create --zookeeper hrxjb1.tcloudata.com:2182,hrxjb2.tcloudata.com:2182,hrxjb3.tcloudata.com:2182 --replication-factor 1 --partitions 3 --topic hnhrtlrealdata
3.5.2.启动生产者
在 /home/ywjk/kafka_2.11-0.10.2.2/config/producer.properties 加入如下配置
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
命令启动生产者发送消息
/home/ywjk/kafka_2.11-0.10.2.2/bin/kafka-console-producer.sh --broker-list hrxjb1.tcloudata.com:9092,hrxjb2.tcloudata.com:9092,hrxjb3.tcloudata.com:9092 --topic hnhrtlrealdata --producer.config /home/ywjk/kafka_2.11-0.10.2.2/config/producer.properties
3.5.3.启动消费者
在/home/ywjk/kafka_2.11-0.10.2.2/config/consumer.properties 加入如下配置
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
/home/ywjk/kafka_2.11-0.10.2.2/bin//kafka-console-consumer.sh --bootstrap-server hrxjb1.tcloudata.com:9092,hrxjb2.tcloudata.com:9092,hrxjb3.tcloudata.com:9092 --topic hnhrtlrealdata --from-beginning --consumer.config /home/ywjk/kafka_2.11-0.10.2.2/config/consumer.properties
3.6.flink加入kerberos认证
flink安装在/usr/local/flink-1.11.2
cat /usr/local/flink-1.11.2/conf/flink-conf.yaml
在flink-conf.yaml中加入
security.kerberos.login.use-ticket-cache: true
security.kerberos.login.keytab: /etc/security/keytabs/kafka.keytab
security.kerberos.login.principal: kafka/hrxjb1.tcloudata.com@TCLOUDATA.COM
# The configuration below defines which JAAS login contexts
security.kerberos.login.contexts: Client,KafkaClient
要把kafka的kafka.jaas 和kerberos认证生成的 kafka.keytab拷贝至flink每台机器
Kafka开源项目指南提供详尽教程,助开发者掌握其架构、配置和使用,实现高效数据流管理和实时处理。它高性能、可扩展,适合日志收集和实时数据处理,通过持久化保障数据安全,是企业大数据生态系统的核心。
更多推荐
4
0- 0
已为社区贡献1条内容
所有评论(0)