因此,我一直在尝试在启用kerberos的单个节点上设置kafkabroker和zookeeper。
大部分内容基于本教程:https://qiita.com/visualskyrim/items/8f48ff107232f0befa5a
系统:Ubuntu 18.04设置:一个EC2框中有一个zooeker实例和一个kafkabroker进程,另一个EC2框中有KDC。两者都在UDP 88上具有打开端口的同一安全组上。
以下是我迄今为止所做的工作。
- 从这里下载了kafka broker:https://kafka.apache.org/downloads
- 创建了KDC并正确生成了keytab(通过kinit-t验证(。然后在/etc/hosts文件中为kdc定义了krb5_config文件和主机条目
- 创建了两个jaas配置
cat zookeeper_jaas.conf
Server {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
keyTab="/etc/kafka/zookeeper.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper";
};
cat kafka_jaas.conf
cat /etc/kafka/kafka_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
useTicketCache=false
storeKey=true
keyTab="/etc/kafka/kafka.keytab"
principal="kafka";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/kafka/kafka.keytab"
principal="kafka";
};
- 在kafka broker配置中添加了一些行
config/zookeeper文件添加了这些额外的行
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
config/server.properties(代理的配置文件(添加了这些额外的行
listeners=SASL_PLAINTEXT://kafka.com:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
在一个屏幕会话中,我进行
5. export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/zookeeper_jaas.conf -Dsun.security.krb5.debug=true"
然后运行
bin/zookeeper-server-start.sh config/zookeeper.properties
这个程序运行正确,动物园管理员启动了。
在另一个屏幕会话中,我进行
6. export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/kafka/kafka_jaas.conf -Dsun.security.krb5.debug=true"
然后运行
bin/kafka-server-start.sh config/server.properties
但是这个失败了,除了
[2020-02-27 22:56:04,724] ERROR SASL authentication failed using login context 'Client' with
exception: {} (org.apache.zookeeper.client.ZooKeeperSaslClient)
javax.security.sasl.SaslException: Error in authenticating with a Zookeeper Quorum member:
the quorum member's saslToken is null.
at org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:279)
at org.apache.zookeeper.client.ZooKeeperSaslClient.respondToServer(ZooKeeperSaslClient.java:242)
at org.apache.zookeeper.ClientCnxn$SendThread.readResponse(ClientCnxn.java:805)
at org.apache.zookeeper.ClientCnxnSocketNIO.doIO(ClientCnxnSocketNIO.java:94)
at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:366)
at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1141)
[2020-02-27 22:56:04,726] ERROR [ZooKeeperClient Kafka server] Auth failed.
(kafka.zookeeper.ZooKeeperClient)
[2020-02-27 22:56:04,842] ERROR Fatal error during KafkaServer startup. Prepare to shutdown
(kafka.server.KafkaServer)
org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = AuthFailed for
/consumers
at org.apache.zookeeper.KeeperException.create(KeeperException.java:126)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:560)
at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1610)
at kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1532)
at kafka.zk.KafkaZkClient.$anonfun$createTopLevelPaths$1(KafkaZkClient.scala:1524)
at kafka.zk.KafkaZkClient.$anonfun$createTopLevelPaths$1$adapted(KafkaZkClient.scala:1524)
at scala.collection.immutable.List.foreach(List.scala:392)
at kafka.zk.KafkaZkClient.createTopLevelPaths(KafkaZkClient.scala:1524)
at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:388)
at kafka.server.KafkaServer.startup(KafkaServer.scala:207)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:38)
at kafka.Kafka$.main(Kafka.scala:84)
at kafka.Kafka.main(Kafka.scala)
我还启用了kerberos调试日志
这是kerberos 的凭据日志
DEBUG:----凭据----
客户端:kafka@VISUALSKYRIM
服务器:动物园管理员/localhost@VISUALSKYRIM
门票:圈套:动物园管理员/localhost@VISUALSKYRIM
endTime:15881662000
----凭证结束----这意味着客户端jaas配置在某种程度上是一个问题,该问题源于此代码行:https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java#L310,但是我一辈子都弄不明白为什么。我将其与合并文档和https://docs.confluent.io/2.0.0/kafka/sasl.html看来我做的是对的。那是什么呢?
有人能帮我吗?谢谢
事实证明kafka隐含地相信动物园管理员的主体是
zookeeper/localhost
为了取得进展,我
- 在KDC中创建了zookeeper/localhost主体
- 为此创建了一个名为zookeeper-server.keyta的密钥选项卡
更新动物园管理员jaas配置为
服务器{com.sun.security.auth.module.Krb5LoginModule required debug=trueuseKeyTab=truekeyTab="/etc/kafka/zookeeper server.keyTab"storeKey=trueuseTicketCache=falseprincipal="zookeeper/localhost";};
现在不再显示此错误。
卡夫卡生产商似乎正在根据我的/etc/hosts配置获取SPN
# Replace there keberos KDC server IP with the appropriate IP addresses
172.31.40.220 kerberos.com
127.0.0.1 localhost
也许可以尝试查看KAFKA_HOME/config/server.properties并在中将默认的localhost更改为your-hostzookeeper.connect=localhost:2181
因为主体CCD_ 5与CCD_。示例:
cname zk/myhost@REALM.MY
sname zookeeper/localhost@REALM.MY
我还使用了EXTRA_ARGS选项-Dzookeeper.sasl.client.username=zk,如文档中所述。
对我有用。似乎应该处理这个问题的代码1,2忽略了它,而是使用了这个属性。