zk启用SSL

关键词:docker zk kafka 安全 SSL

以docker方式部署zkkafka

服务器列表

  • 192.168.1.202 DB-6
  • 192.168.1.203 DB-7
  • 192.168.1.204 DB-8

操作系统: Centos 7
docker : 19.03.8
zk:3.6.1
kafka: wurstmeister/kafka:2.13-2.6.0

漏洞描述

ZooKeeper 未授权访问【原理扫描】
...

前置任务:

1.设置环境变量

# 备份配置文件
cp -p ~/.bashrc ~/.bashrc.old

# 编辑~/.bashrc,在文件尾部增加如下内容:
ls_iface=`ls -l /sys/class/net/ |grep -v virtual |grep root|gawk '{print $9}'`
MYIP=`ip -h -4 -o address |grep $ls_iface|gawk '{print $4}'|sed 's/\// /'|gawk '{print $1}'`
export MYIP
export IMAGE_NAME=`echo $MYIP |gawk -F. '{print $4}'`

# 为每台服务器设置ZKID。
# 注意:每台服务器的ID必需不同且与配置文件中的ZOO_SERVERS的server.x的x要匹配
export myid=1

2.让环境变量生效

source ~/.bashrc

3.检查环境变量是否效

echo $MYIP $IMAGE_NAME $myid

通过启用ZK的SSL,即kafka必需通过SSL方式连接到ZK

参考文档:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

1.创建jks格式的密钥.密钥有效期10年

# 1.生成了一个密钥库文件zkserverkeystore
keytool -genkeypair -alias zkserver -keyalg RSA -validity 3650 -keystore zkkeystore.jks \
-keysize 4096 -storepass zkserver -keypass zkserver -storetype jks -v \
-dname CN=zk-test \
-ext san=dns:DB-6,dns:DB-7,dns:DB-8,ip:192.168.1.202,ip:192.168.1.203,ip:192.168.1.204,ip:127.0.0.1

# 2.导出公钥证书.导出的公钥文件是zkserver-public.cer
keytool -exportcert -alias zkserver -keystore zkkeystore.jks -rfc -file zkserver-public.cer \
-storepass zkserver -v

# 3.truststore的生成以及公钥证书的导入.信任库的密码是zkclient
keytool -importcert -alias zkserver -file zkserver-public.cer  -keystore zktruststore.jks \
-storepass zkclient -storetype jks -noprompt

# 4.创建存放证书的目录,将上述证书拷贝到如下目录
mkdir -p /myhome/zk/cert 

2.拷贝zk和kafka的配置

# 拷贝现有的配置,并修改
docker cp zk_${IMAGE_NAME}:/conf /myhome/zk
docker cp kafka_${IMAGE_NAME}:/opt/kafka/config /myhome/kafka

2.1 停止并删除zk和kafka容器

docker stop kafka_${IMAGE_NAME}
docker rm kafka_${IMAGE_NAME}

docker stop zk_${IMAGE_NAME}
docker rm zk_${IMAGE_NAME}

3. ZK

3.1 修改zk的配置文件

# 修改配置文件
tee -a >>/myhome/zk/conf/zoo.cfg<<EOF
# 为ssl启用新的端口号
secureClientPort=2182
# 如下为服务端证书
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=/mnt/zkkeystore.jks
ssl.keyStore.password=zkserver
ssl.trustStore.location=/mnt/zktruststore.jks
ssl.trustStore.password=zkclient
EOF

3.2 修改启动zk的命令

# --------192.168.1.202--------

# 客户端端口改为securityclientport:2182
# zk集群的端口也改为2182
# 增加映射conf和cert目录


docker run -d --name=zk_${IMAGE_NAME} \
--restart=always \
-p 2888:2888 \
-p 3888:3888 \
-p 2182:2182 \
-e ZOO_MY_ID=${myid} \
-e ZOO_SERVERS="server.1=0.0.0.0:2888:3888;2182 server.2=192.168.1.203:2888:3888;2182 server.3=192.168.1.204:2888:3888;2182" \
-e SERVER_JVMFLAGS="-Dzookeeper.4lw.commands.whitelist=*" \
-v /myhome/zk/data:/data \
-v /myhome/zk/datalog:/datalog \
-v /etc/localtime:/etc/localtime \
-v /myhome/zk/cert:/mnt \
-v /myhome/zk/conf:/conf \
zookeeper:3.6.1

# --------192.168.1.203--------

docker run -d --name=zk_${IMAGE_NAME} \
--restart=always \
-p 2888:2888 \
-p 3888:3888 \
-p 2182:2182 \
-e ZOO_MY_ID=${myid} \
-e ZOO_SERVERS="server.1=192.168.1.202:2888:3888;2182 server.2=0.0.0.0:2888:3888;2182 server.3=192.168.1.204:2888:3888;2182" \
-e SERVER_JVMFLAGS="-Dzookeeper.4lw.commands.whitelist=*" \
-v /myhome/zk/data:/data \
-v /myhome/zk/datalog:/datalog \
-v /etc/localtime:/etc/localtime \
-v /myhome/zk/cert:/mnt \
-v /myhome/zk/conf:/conf \
zookeeper:3.6.1
;;
# --------192.168.1.204--------

docker run -d --name=zk_${IMAGE_NAME} \
--restart=always \
-p 2888:2888 \
-p 3888:3888 \
-p 2182:2182 \
-e ZOO_MY_ID=${myid} \
-e ZOO_SERVERS="server.1=192.168.1.202:2888:3888;2182 server.2=192.168.1.203:2888:3888;2182 server.3=0.0.0.0:2888:3888;2182" \
-e SERVER_JVMFLAGS="-Dzookeeper.4lw.commands.whitelist=*" \
-v /myhome/zk/data:/data \
-v /myhome/zk/datalog:/datalog \
-v /etc/localtime:/etc/localtime \
-v /myhome/zk/cert:/mnt \
-v /myhome/zk/conf:/conf \
zookeeper:3.6.1

3.3 查看日志

docker logs -f zk_${IMAGE_NAME}

4. Kafka

4.1 修改kafka配置

# 向配置文件添加如下内容
tee -a >>/myhome/kafka/config/server.properties<<EOF
zookeeper.ssl.client.enable=true
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.keystore.location=/mnt/zkkeystore.jks
zookeeper.ssl.keystore.password=zkserver
zookeeper.ssl.truststore.location=/mnt/zktruststore.jks
zookeeper.ssl.truststore.password=zkclient
#zookeeper.set.acl=true
EOF

4.2 修改kafka启动命令

# 新增挂载cert和config目录
# 连接到zk的2182端口

docker run -d --name=kafka_${IMAGE_NAME} \
--restart=always \
-p 9092:9092 \
-v /etc/localtime:/etc/localtime \
-v /myhome/kafka/data:/kafka \
-v /myhome/kafka/logs:/opt/kafka/logs \
-v /myhome/zk/cert:/mnt \
-v /myhome/kafka/config:/opt/kafka/config \
-e KAFKA_ADVERTISED_HOST_NAME=${MYIP} \
-e HOST_IP=${MYIP} \
-e KAFKA_ADVERTISED_PORT=9092 \
-e KAFKA_ZOOKEEPER_CONNECT=192.168.253.15:2182,192.168.253.16:2182,192.168.253.17:2182 \
-e KAFKA_BROKER_ID=${myid} \
wurstmeister/kafka:2.13-2.6.0

4.3 查看日志

docker logs -f kafka_${IMAGE_NAME}
Logo

Kafka开源项目指南提供详尽教程,助开发者掌握其架构、配置和使用,实现高效数据流管理和实时处理。它高性能、可扩展,适合日志收集和实时数据处理,通过持久化保障数据安全,是企业大数据生态系统的核心。

更多推荐