在 Ubuntu 上部署 Kafka 并开启认证,常见做法是使用 SASL + PLAIN(用户名/密码) 或 SASL + SCRAM。下面我给你一个 最常用、可落地的完整示例(SASL/PLAIN),适合 Ubuntu 20.04/22.04 + Kafka 2.x/3.x。
/opt/kafkasudo vi /opt/kafka/config/kafka_server_jaas.conf
内容:
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
说明:
admin:broker 之间通信用户alice:普通客户端用户(示例)编辑 Kafka 启动脚本:
vi /opt/kafka/bin/kafka-server-start.sh
在文件顶部添加:
export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf"
server.propertiesvi /opt/kafka/config/server.properties
追加或修改以下内容:
listeners=SASL_PLAINTEXT://localhost:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
allow.everyone.if.no.acl.found=false
super.users=User:admin
如果你需要 SSL,可改为
SASL_SSL
/opt/kafka/bin/zookeeper-server-start.sh -daemon /opt/kafka/config/zookeeper.properties
/opt/kafka/bin/kafka-server-start.sh -daemon /opt/kafka/config/server.properties
vi /opt/kafka/config/kafka_client_jaas.conf
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="alice"
password="alice-secret";
};
vi /opt/kafka/config/producer.properties
bootstrap.servers=localhost:9092
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
export KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/config/kafka_client_jaas.conf"
/opt/kafka/bin/kafka-console-producer.sh \
--bootstrap-server localhost:9092 \
--topic test \
--producer.config /opt/kafka/config/producer.properties
/opt/kafka/bin/kafka-console-consumer.sh \
--bootstrap-server localhost:9092 \
--topic test \
--from-beginning \
--consumer.config /opt/kafka/config/producer.properties
/opt/kafka/bin/kafka-acls.sh \
--bootstrap-server localhost:9092 \
--add \
--allow-principal User:alice \
--operation Write \
--topic test
/opt/kafka/bin/kafka-acls.sh \
--bootstrap-server localhost:9092 \
--add \
--allow-principal User:alice \
--operation Read \
--group test-group
SASL authentication failedusername/password 不一致sasl.mechanism 不匹配netstat -tnlp | grep 9092
| 认证方式 | 适用场景 |
|---|---|
| SASL/PLAIN | 简单、测试、内网 |
| SASL/SCRAM | 更安全、推荐生产 |
| SSL 双向认证 | 高安全要求 |
| Kerberos (GSSAPI) | 企业 AD / Kerberos |
你可以直接告诉我:
我可以给你 完全贴合你场景的配置方案。