小贝子编程

Kafka: broker在某些监听器上不支持SASL机制



我正在尝试在现有集群(3.1.0 bitnami helm chart)上逐渐启用acl,该集群配置如下:

listeners=INTERNAL://:9093,CLIENT://:9092
listener.security.protocol.map=INTERNAL:PLAINTEXT,CLIENT:PLAINTEXT
advertised.listeners=CLIENT://$(MY_POD_NAME)-k8s.dev.host.com:4430,INTERNAL://$(MY_POD_NAME).message-broker-dev-kafka-headless.message-broker-dev.svc.cluster.local:9093

kafka-k8s.dev.host.com:4430被内部转发到9092的CLIENT监听器目前,我们在LB上执行TLS终止,因此在CLIENT侦听器上使用明文,但使用SSL安全性。协议:

kafkacat -b kafka-k8s.dev.host.com:4430 -X security.protocol=SSL -L

计划是添加2个需要SASL验证的新侦听器,将客户端迁移到侦听器&弃用现有的侦听器。新的配置看起来像这样:

listeners=INTERNAL://:9093,CLIENT://:9092,SASL_INTERNAL://:9095,SASL_CLIENT://:9094
listener.security.protocol.map=INTERNAL:PLAINTEXT,CLIENT:PLAINTEXT,SASL_INTERNAL:SASL_PLAINTEXT,SASL_CLIENT:SASL_PLAINTEXT
advertised.listeners=CLIENT://$(MY_POD_NAME)-k8s.dev.host.com:4430,INTERNAL://$(MY_POD_NAME).message-broker-dev-kafka-headless.message-broker-dev.svc.cluster.local:9093,SASL_CLIENT://$(MY_POD_NAME)-sasl-k8s.dev.host.com:4430,SASL_INTERNAL://$(MY_POD_NAME).message-broker-dev-kafka-headless.message-broker-dev.svc.cluster.local:9095
allow.everyone.if.no.acl.found=true
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-512
sasl.mechanism.inter.broker.protocol=PLAIN

在创建了一些sram - sha -512用户并将acl应用于现有主题之后,SASL_INTERNAL侦听器上的一切都工作正常,但SASL_CLIENT上的一切都不正常:

$ kafkacat -b message-broker-dev-kafka-headless.message-broker-dev:9095 -C -t protected-topic-v1 -X security.protocol=SASL_PLAINTEXT -X sasl.mechanisms=SCRAM-SHA-512 -X sasl.username=demo-user  -X sasl.password=secret
{"userId":"1225"}
% Reached end of topic protected-topic-v1 [0] at offset 22

$ kafkacat -b kafka-sasl-k8s.dev.host.com:4430 -C -t protected-topic-v1 -X security.protocol=SASL_SSL -X sasl.mechanisms=SCRAM-SHA-512 -X sasl.username=demo-user  -X sasl.password=secret
%3|1669825033.516|FAIL|rdkafka#consumer-1| [thrd:sasl_ssl://kafka-sasl-k8s.dev.host.com:4430/bootstrap]: sasl_ssl://kafka-sasl-k8s.dev.host.com:4430/bootstrap: SASL SCRAM-SHA-512 mechanism handshake failed: Broker: Request not valid in current SASL state: broker's supported mechanisms:  (after 44ms in state AUTH_HANDSHAKE)

kafka-sasl-k8s.dev.host.com:4430在内部转发到9094上的SASL_CLIENT侦听器(并且在LB上再次使用TLS终止,因此SASL_SSL而不是sasl_明文)现在,我不完全确定是我错过了kafka配置还是搞砸了网络配置。

提前感谢。

自动应答,是网络问题。

kafka-sasl-k8s.dev.host.com:4430正在向9092发送流量,不是9094作为expeccted

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium