SASL_PLAINTEXT认证 本人认为就是consumer连接broker开启了用户名,密码认证
acl权限控制 就是指针对用户 配置拥有哪些操作权限,如 topic的读,写,group的读,topic的创建,删除,等等都是可控制的权限
server.properties配置
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# see kafka.server.KafkaConfig for additional details and defaults
############################# Server Basics #############################
# The id of the broker. This must be set to a unique integer for each broker.
broker.id=37
############################# Socket Server Settings #############################
# The address the socket server listens on. It will get the value returned from
# java.net.InetAddress.getCanonicalHostName() if not configured.
# FORMAT:
# listeners = listener_name://host_name:port
# EXAMPLE:
# listeners = PLAINTEXT://your.host.name:9092
##listeners=SASL_PLAINTEXT://100.100.184.145:9092
# Hostname and port the broker will advertise to producers and consumers. If not set,
# it uses the value for "listeners" if configured. Otherwise, it will use the value
# returned from java.net.InetAddress.getCanonicalHostName().
inter.broker.listener.name=INTERNAL_LISTENER
listener.security.protocol.map=LOCAL_LISTENER:SASL_PLAINTEXT,INTERNAL_LISTENER:SASL_PLAINTEXT,EXTERNAL_LISTENER:SASL_PLAINTEXT
listeners=LOCAL_LISTENER://127.0.0.1:9092,INTERNAL_LISTENER://100.100.111.111:9093,EXTERNAL_LISTENER://100.100.111.111:17002
advertised.listeners=INTERNAL_LISTENER://100.100.111.111:9093,EXTERNAL_LISTENER://10.28.88.61:17002
#100.100.111.111为部署本台kafka的真实ip地址,我们可以看出来,本台kafka暴露了三个端口
#9092,9093,17002作为接收请求的端口。然后给三个端口分别定义了listenr名字以及通信协议
#advertised.listeners中EXTERNAL_LISTENER://10.28.88.61:17002表示
#EXTERNAL_LISTENER开启的端口注册到zk中元数据的地址信息,当client端首次连接
#kafka通过100.100.111.111:17002,获取元数据的时候会获取到这个地址10.28.88.61:17002,
#然后在通过元数据中的ip地址10.28.88.61:17002继续与kafka连接,所以当我们需要ngix反向代理来跟
#kafka通信的时候一般就是这么配置,10.28.88.61:17002就是ngix配置的反向代理到
#100.100.111.111:17002。此时client端配置连接的"bootstrap.servers"=10.28.88.61:17002就行
# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=3
# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=8
# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400
# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400
# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600
############################# Log Basics #############################
# A comma separated list of directories under which to store log files
log.dirs=/home/whtemp/kafka/kafka-logs
# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=1
# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1
############################# Internal Topic Settings #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
############################# Log Flush Policy #############################
# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
# 1. Durability: Unflushed data may be lost if you are not using replication.
# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.
# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000
# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000
############################# Log Retention Policy #############################
# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.
# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168
# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824
# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824
# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000
############################# Zookeeper #############################
# Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
zookeeper.connect=101.913.89.166:2128
# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=6000
############################# Group Coordinator Settings #############################
# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
group.initial.rebalance.delay.ms=0
##security.inter.broker.protocol=SASL_PLAINTEXT
##security.inter.broker.protocol=INTERNAL_LISTENER
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=false
#allow.everyone.if.no.acl.found=false的时候表示任何客户端的操作,如果发现你未配置acl权限,就不能
#访问除非给对应的consumer或者producer通过sals认证连接的时候配置了相关权限。超级管理员不受限制。
#如果配置ture了,那么如果通过sals认证连接的时候,对应的用户未配置权限也可以操作,但是连接的
#用户你配置了权限,但是此时你操作的权限不对,这时候会报权限异常
super.users=User:admin#表示超级管理员是admin
##security.protocol=INTERNAL_LISTENER
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
几个配置说明
#100.100.111.111为部署本台kafka的真实ip地址,我们可以看出来,本台kafka暴露了三个端口
#9092,9093,17002作为接收请求的端口。然后给三个端口分别定义了listenr名字以及通信协议
#advertised.listeners中EXTERNAL_LISTENER://10.28.88.61:17002表示
#EXTERNAL_LISTENER开启的端口注册到zk中元数据的地址信息,当client端首次连接
#kafka通过100.100.111.111:17002,获取元数据的时候会获取到这个地址10.28.88.61:17002,
#然后在通过元数据中的ip地址10.28.88.61:17002继续与kafka连接,所以当我们需要ngix反向代理来跟
#kafka通信的时候一般就是这么配置,10.28.88.61:17002就是ngix配置的反向代理到
#100.100.111.111:17002。此时client端配置连接的"bootstrap.servers"=10.28.88.61:17002就行
#allow.everyone.if.no.acl.found=false的时候表示任何客户端的操作,如果发现你未配置acl权限,就不能
#访问除非给对应的consumer或者producer通过sals认证连接的时候配置了相关权限。超级管理员不受限制。
#如果配置ture了,那么如果通过sals认证连接的时候,对应的用户未配置权限也可以操作,但是连接的
#用户你配置了权限,但是此时你操作的权限不对,这时候会报权限异常
kafka_server_jaas.conf 的配置
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin" #内部通信用
password="kafka" #内部通信用
user_zsh="niubi"#用户zsh 密码niubi
user_dataflow="dataflow"
user_crawler="crawler"
user_taskcenter="taskcenter"
user_admin="kafka";#用户admin 密码kafka
};
kafka_client_jaas.conf的配置超级管理员
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="kafka";
};
也可以是普通用户
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="dataflow"
password="dataflow";
};
java代码自然是
//当然你也可以换成超级管理员的密码
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG,"SASL_PLAINTEXT");
props.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
props.put("sasl.jaas.config",
"org.apache.kafka.common.security.plain.PlainLoginModule required username='dataflow' password='dataflow';");
package zktest.zktest;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.kafka.clients.admin.AdminClient;
import org.apache.kafka.clients.admin.AdminClientConfig;
import org.apache.kafka.clients.admin.DescribeAclsResult;
import org.apache.kafka.clients.admin.KafkaAdminClient;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
//import org.springframework.kafka.core.KafkaAdmin;
public class AclTest {
public static void main(String[] args) {
Map<String, Object> configs = new HashMap<>();
// broker地址,多个用逗号分割,这里用了ngix的地址,如果不需要ngix,请直接改为kafka的ip地址
configs.put(AdminClientConfig.BOOTSTRAP_SERVERS_CONFIG, "10.28.88.61:17002");
configs.put("security.protocol", "SASL_PLAINTEXT");
configs.put("sasl.mechanism", "PLAIN");
// 登录broker的账户 admin是管理员
configs.put("sasl.jaas.config",
"org.apache.kafka.common.security.scram.ScramLoginModule required username=\"admin\" password=\"kafka\";");
AdminClient adminClient = KafkaAdminClient.create(configs);
// principal:User:test2是需要赋予权限的帐号
// host:主机 (*号即可)
// operation:权限操作
// permissionType:权限类型
AccessControlEntry ace = new AccessControlEntry("User:dataflow", "*", AclOperation.READ, AclPermissionType.ALLOW);
// resourceType:资源类型(topic)
// name:topic名称
// patternType:资源模式类型
//下面的写法表示当client用sals认证的时候使用dataflow这个用户连接的时候,当使用groupid=wwaaaddfw,对topic-name17仅仅有读权限
ResourcePattern rp = new ResourcePattern(ResourceType.TOPIC, "topic-name17", PatternType.LITERAL);
ResourcePattern rp1 = new ResourcePattern(ResourceType.GROUP, "wwaaaddfw", PatternType.LITERAL);
AclBinding ab = new AclBinding(rp, ace);
AclBinding ab1 = new AclBinding(rp1, ace);
// 多个权限赋予可以传list
List<AclBinding> ablist = Arrays.asList(ab,ab1);
adminClient.createAcls(ablist);
// 可以查看赋予用户的所有权限
DescribeAclsResult b = adminClient.describeAcls(AclBindingFilter.ANY);
System.out.println(b.values());
adminClient.close();
}
}
client consumer的例子
package zktest.zktest;
import java.time.Duration;
import java.util.Arrays;
import java.util.Properties;
import org.apache.kafka.clients.CommonClientConfigs;
import org.apache.kafka.clients.consumer.Consumer;
import org.apache.kafka.clients.consumer.ConsumerConfig;
import org.apache.kafka.clients.consumer.ConsumerRecord;
import org.apache.kafka.clients.consumer.ConsumerRecords;
import org.apache.kafka.clients.consumer.KafkaConsumer;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.serialization.StringDeserializer;
public class HelloWorldConsumer {
public static void main(String[] args) throws InterruptedException {
Properties props = new Properties();
//这里我使用的是ngix,如果不需要ngix,请直接改为kafka的ip地址
props.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, "10.28.88.61:17002");
props.put(ConsumerConfig.GROUP_ID_CONFIG ,"wwaaaddfw") ;
props.put("auto.offset.reset", "earliest");
props.put(ConsumerConfig.ENABLE_AUTO_COMMIT_CONFIG, "true");
props.put(ConsumerConfig.AUTO_COMMIT_INTERVAL_MS_CONFIG, "1000");
props.put(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class);
props.put(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class);
//props.put("enable.auto.commit", "false");
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG,"SASL_PLAINTEXT");
props.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
props.put(ConsumerConfig.MAX_POLL_RECORDS_CONFIG, "1");
props.put("sasl.jaas.config",
"org.apache.kafka.common.security.plain.PlainLoginModule required username='dataflow' password='dataflow';");
Consumer<String, String> consumer = new KafkaConsumer<>(props);
consumer.subscribe(Arrays.asList("topic-name17"));
while (true) {
ConsumerRecords<String, String> records = consumer.poll(10);
Thread.sleep(1000);
for (ConsumerRecord<String, String> record : records) {
System.out.println("分区:"+record.partition() +"分区offset&&"+record.offset()+"&&分区key:"+record.key());
}
}
}
}
此时consumer如果换成其他用户(admin除外)都会报认证失败