在Debian系统上配置Kafka的安全认证通常涉及以下几个步骤:
mkdir -p /etc/kafka/ssl
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/server.key -x509 -days 365 -out /etc/kafka/ssl/server.crt
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/client.key -x509 -days 365 -out /etc/kafka/ssl/client.crt
/etc/kafka/server.properties 文件,添加或修改以下配置:# 启用SSL listeners
listeners=SSL://:9093
security.inter.broker.protocol=SSL
# SSL配置
ssl.keystore.location=/etc/kafka/ssl/server.jks
ssl.keystore.password=your_keystore_password
ssl.key.password=your_key_password
ssl.truststore.location=/etc/kafka/ssl/server.jks
ssl.truststore.password=your_truststore_password
# 启用SSL端点识别算法
ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.cipher.suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
/etc/kafka/kafka_server_jaas.conf:KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="/home/admin";
}
/etc/kafka/server.properties 文件,添加或修改以下配置:# 启用SASL listeners
sasl_ssl://:9093
security.inter.broker.protocol=SASL_SSL
# SASL配置
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="/home/admin";
# 启用授权
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
super.users=User:admin
/etc/kafka/client.properties),添加或修改以下配置:# 启用SASL
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
完成配置后,重启Kafka服务以应用更改:
sudo systemctl restart kafka
以上步骤涵盖了在Debian系统上配置Kafka的安全认证,包括SSL/TLS和SASL。确保在生产环境中使用有效的证书和强密码,并根据需要调整配置。
