在Kafka中设置安全选项主要包括配置SSL/TLS加密、SASL认证以及ACL权限控制。以下是详细的配置步骤:
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr
openssl x509 -req -in server.csr -signkey server.key -out server.crt
server.properties中设置SSL相关的参数。listeners=SSL://:9094
ssl.keystore.location=/path/to/kafka.server.keystore.jks
ssl.keystore.password=keystore_password
ssl.key.password=key_password
ssl.truststore.location=/path/to/kafka.server.truststore.jks
ssl.truststore.password=truststore_password
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2,TLSv1.3
security.protocol=SSL
ssl.truststore.location=/path/to/kafka.client.truststore.jks
ssl.truststore.password=truststore_password
ssl.keystore.location=/path/to/kafka.client.keystore.jks
ssl.keystore.password=keystore_password
kafka_server_jaas.conf示例:KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
}
kafka_client_jaas.conf示例:
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="client"
password="client-secret";
}
server.properties中启用SASL认证,并指定JAAS配置文件的位置。listeners=SASL_SSL://:9095
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
authorizer.class.name=org.apache.kafka.metadata.authorizer.SimpleAclAuthorizer
export KAFKA_OPTS="-Djava.security.auth.login.config=/path/to/kafka_server_jaas.conf"
server.properties中启用基于ACL的授权。authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=false
kafka-acls.sh命令行工具配置ACL规则。bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:user1 --consumer --topic topic1 --group '*'
以上步骤涵盖了在Kafka中设置安全选项的主要方面,包括SSL/TLS加密、SASL认证以及ACL权限控制。这些安全措施共同作用于Kafka集群,以确保数据传输的安全性和数据的隐私保护。
