我已经将ZK服务器配置为使用SSL(已签名的证书、信任存储、密钥存储、已修改的zookeeper.properties,所有设置都已完成且良好(。Zookeeper启动并在端口2182上侦听SSL请求,并且Zookeeper和kafka服务器日志中没有错误。
#new properties added in kafka/config/zookeeper.properties
secureClientPort=2182
authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.trustStore.location=/path/to/ssl/kafka.zookeeper.truststore.jks
ssl.trustStore.password=serversecret
ssl.keyStore.location=/path/to/ssl/kafka.zookeeper.keystore.jks
ssl.keyStore.password=serversecret
ssl.clientAuth=need
现在,为了使用ZK-CLI连接到安全的动物园管理员,我采用了类似的方法。创建zk客户端证书,对其进行签名,并为其创建信任库和密钥库。创建属性文件并尝试连接到ZK服务器,但我得到了一个错误
Command not found: Command not found /path/to/ssl/zookeeper-client.properties
$ kafka/bin/zookeeper-shell.sh localhost:2182 -zk-tls-config-file /Users/path/to/ssl/zookeeper-client.properties
Connecting to localhost:2182
ZooKeeper -server host:port cmd args
addauth scheme auth
close
.....
Command not found: Command not found /Users/path/to/ssl/zookeeper-client.properties
我的zookeeper-client.properties看起来像这个
$cat /Users/path/to/ssl/zookeeper-client.properties
#zookeeper.connect=localhost:2182
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
zookeeper.ssl.client.enable=true
zookeeper.ssl.protocol=TLSv1.2
zookeeper.ssl.truststore.location=/Users/path/to/ssl/kafka.zookeeper-client.truststore.jks
zookeeper.ssl.truststore.password=serversecret
zookeeper.ssl.keystore.location=/Users/path/to/ssl/kafka.zookeeper-client.keystore.jks
zookeeper.ssl.keystore.password=serversecret
Kafka Server在ZK开始时进行日志记录。
[2021-07-16 11:27:38,676] INFO binding to port 0.0.0.0/0.0.0.0:2181 (org.apache.zookeeper.server.NettyServerCnxnFactory)
[2021-07-16 11:27:43,760] INFO bound to port 2181 (org.apache.zookeeper.server.NettyServerCnxnFactory)
.....
[2021-07-16 11:27:43,819] INFO Using org.apache.zookeeper.server.NettyServerCnxnFactory as server connection factory (org.apache.zookeeper.server.ServerCnxnFactory)
[2021-07-16 11:27:43,819] INFO binding to port 0.0.0.0/0.0.0.0:2182 (org.apache.zookeeper.server.NettyServerCnxnFactory)
[2021-07-16 11:27:43,821] INFO bound to port 2182 (org.apache.zookeeper.server.NettyServerCnxnFactory)
当我尝试用zk客户端连接到端口2182时,服务器日志没有显示条目(可能是因为它无法连接,因为启动连接的命令失败(
我使用的是kafka_2.12版本,它有zookeeper-3.5.7
我在这里错过了什么?对我来说,配置看起来如预期,zk-cli不应该抛出
参考:
- https://atsc.com.sg/docs/edp/7-security/zookeeper-mutual-tls/
- https://docs.confluent.io/platform/current/security/zk-security.html
谢谢,JE-
我认为问题是你的cli是从还不支持这个参数的旧版本运行的,请检查你的执行路径,你真的是从"当前";版本