gpt4 book ai didi

ssl - 为 kafka-console-consumer 配置 SSL 和 ACL

转载 作者:太空宇宙 更新时间:2023-11-03 13:34:22 32 4
gpt4 key购买 nike

我正在按照说明 here 向我的 Confluent-3.0.1 Kafka 集群添加 SSL 安全性和 here .

在下面的 Linux 交易片段中,我用 myserverA、myserverB 和 myserverC 替换了我的服务器名称。我还隐藏了密码。这是我第一次在留言板上发帖。对于这篇文章中格式不正确的部分,我深表歉意。

我的问题:

什么 ACL 控制下面显示的获取偏移量的访问权限?我需要更改我的配置或 SSL key 吗?

非常感谢您提供的任何帮助。

我能够使用 kafka-console-producer 通过 SSL 生成数据,但无法使用 kafka-console-consumer 读取数据。我收到以下错误:

[kafka@myserverA confluent-3.0.1]$ /kafka/confluent-3.0.1/bin/kafka-console-consumer --bootstrap-server myserverA:9093 --zookeeper myserverA:2181/kafka --topic ssl-test --from-beginning --new-consumer --consumer.config /kafka/data/client/ssl/client.properties
[2017-06-27 13:11:50,462] WARN Attempt to fetch offsets for partition ssl-test-0 failed due to: Not authorized to access topics: [Topic authorization failed.] (org.apache.kafka.clients.consumer.internals.Fetcher)
[2017-06-27 13:11:50,473] WARN Error while fetching metadata with correlation id 6 : {ssl-test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2017-06-27 13:11:50,476] ERROR Unknown error when running consumer: (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [ssl-test]

不清楚我的问题是出在客户端配置上,还是中间件配置上。

我的三个代理的 server.properties 文件包括以下内容:

###################### SSL Configuration ################
#
ssl.keystore.location=/kafka/data/ssl/keystore/kafka.keystore.jks
ssl.keystore.password=<hidden for this posting>
ssl.key.password=<hidden for this posting>
ssl.truststore.location=/kafka/data/ssl/truststore/kafka.truststore.jks
ssl.truststore.password=<hidden for this posting>

ssl.client.auth=requested
#ssl.cipher.suites=
ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS

security.inter.broker.protocol=ssl

# #### Enable ACLs ####
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true

super.users=User:CN=myserverA,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US;User:myserverB,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US;User:CN=myserverC,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US

我对 producer.config 和 consumer.config 使用相同的 client.properties。它包含以下内容:

###################### SSL Configuration ################
#
security.protocol=ssl

ssl.keystore.location=/kafka/data/client/ssl/keystore/kafka.client.keystore.jks
ssl.keystore.password=<hidden for this posting>
ssl.key.password=<hidden for this posting>
ssl.truststore.location=/kafka/data/client/ssl/truststore/kafka.client.truststore.jks
ssl.truststore.password=<hidden for this posting>

#ssl.provider=
#ssl.cipher.suites=
ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS

我有大量关于 ssl-test 主题的 ACL 授权。我试过:1)逗号后带空格的 SSL 域名,2)逗号后没有空格的 SSL 域名,3)代理证书的 SSL 通用名称

[root@myserverA ~]# /kafka/confluent-3.0.1/bin/kafka-acls --authorizer-properties zookeeper.connect=myserverA:2181/kafka --list --topic ssl-test
Current ACLs for resource `Topic:ssl-test`:
User:CN=Test Client,OU=Test Client Unit,O=Test Client Org,L=LA,ST=CA,C=US has Allow permission for operations: Read from hosts: *
User:CN=Test Client, OU=Test Client Unit, O=Test Client Org, L=LA, ST=CA, C=US has Allow permission for operations: Read from hosts: *
User:myserverA has Allow permission for operations: Write from hosts: *
User:myserverC has Allow permission for operations: Read from hosts: *
User:CN=myserverB,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Write from hosts: *
User:CN=myserverA,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Read from hosts: *
User:Test Client has Allow permission for operations: Read from hosts: *
User:Test Client has Allow permission for operations: Write from hosts: *
User:myserverB has Allow permission for operations: Write from hosts: *
User:CN=Test Client,OU=Test Client Unit,O=Test Client Org,L=LA,ST=CA,C=US has Allow permission for operations: Write from hosts: *
User:CN=myserverC,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Read from hosts: *
User:CN=myserverA,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Write from hosts: *
User:CN=myserverB,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Read from hosts: *
User:myserverB has Allow permission for operations: Read from hosts: *
User:myserverA has Allow permission for operations: Read from hosts: *
User:CN=Test Client, OU=Test Client Unit, O=Test Client Org, L=LA, ST=CA, C=US has Allow permission for operations: Write from hosts: *
ser:myserverC has Allow permission for operations: Write from hosts: *
ser:CN=myserverC,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Write from hosts: *

kafka-console-producer 通过 SSL 正常运行:

[kafka@myserverA confluent-3.0.1]$ bin/kafka-console-producer --broker-list myserverA:9093 --topic ssl-test --producer.config /kafka/data/client/ssl/client.properties
j
k
<Ctrl-D>

最佳答案

根据 the documentation消费者需要阅读关于主题的描述,以及需要阅读的消费者群体。选项 --consumer 可以用来方便地将所有这些设置为一次;使用他们的例子:

bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 \
--add \
--allow-principal User:Bob \
--consumer \
--topic Test-topic \
--group Group-1

关于ssl - 为 kafka-console-consumer 配置 SSL 和 ACL,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44790700/

32 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com