Kafka 4.0 SCRAM认证 集群搭建_kafka 4.0 sasl安装
服务器
软件版本
软件下载
略
软件安装
java,kafka都只需解压,解压后重命名一下
软件配置
系统相关配置
# 分别在三台机器上执行 echo \"192.168.12.101 test01\" >> /etc/hostsecho \"192.168.12.102 test02\" >> /etc/hostsecho \"192.168.12.103 test03\" >> /etc/hostsjava配置
# 分别在三台机器上执行 echo \"export JAVA_HOME=/opt/program/jdk\" >> /etc/profileecho \"export PATH=$PATH:$JAVA_HOME/bin\" >> /etc/profile source /etc/profileKafka Controller配置
在test01上配置/opt/program/kafkac/config/server-plain.properties
node.id=1process.roles=controllercontroller.quorum.voters=1@192.168.12.101:9093,2@192.168.12.102:9093,3@192.168.12.103:9093listeners=CONTROLLER://:9093advertised.listeners=CONTROLLER://192.168.12.101:9093listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXTcontroller.listener.names=CONTROLLER sasl.enabled.mechanisms=PLAINsasl.mechanism.controller.protocol=PLAIN super.users=User:adminallow.everyone.if.no.acl.found=trueauthorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizerlog.dirs=/opt/program/kafkac/data在test02上配置/opt/program/kafkac/config/server-plain.properties
node.id=2process.roles=controllercontroller.quorum.voters=1@192.168.12.101:9093,2@192.168.12.102:9093,3@192.168.12.103:9093listeners=CONTROLLER://:9093advertised.listeners=CONTROLLER://192.168.12.102:9093listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXTcontroller.listener.names=CONTROLLER sasl.enabled.mechanisms=PLAINsasl.mechanism.controller.protocol=PLAIN super.users=User:adminallow.everyone.if.no.acl.found=trueauthorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizerlog.dirs=/opt/program/kafkac/data在test03上配置/opt/program/kafkac/config/server-plain.properties
node.id=3process.roles=controllercontroller.quorum.voters=1@192.168.12.101:9093,2@192.168.12.102:9093,3@192.168.12.103:9093listeners=CONTROLLER://:9093advertised.listeners=CONTROLLER://192.168.12.103:9093listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXTcontroller.listener.names=CONTROLLER sasl.enabled.mechanisms=PLAINsasl.mechanism.controller.protocol=PLAIN super.users=User:adminallow.everyone.if.no.acl.found=trueauthorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizerlog.dirs=/opt/program/kafkac/data在test01、test02、test03上配置/opt/program/kafkac/config/jaas-plain.conf
KafkaServer { org.apache.kafka.common.security.plain.PlainLoginModule required serviceName=\"kafka\" username=\"admin\" password=\"abc123456\" user_admin=\"abc123456\";}; KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username=\"admin\" password=\"abc123456\" user_admin=\"abc123456\";};在test01、test02、test03上配置/opt/program/kafkac/bin/kafka-server-start-plain.sh
cd /opt/program/kafkacrm -f bin/kafka-server-start-plain.shcp bin/kafka-server-start.sh bin/kafka-server-start-plain.shsed -i \'16i export KAFKA_OPTS=\" -Djava.security.auth.login.config=/opt/program/kafkac/config/jaas-plain.conf \" $KAFKA_OPTS\' bin/kafka-server-start-plain.shKafka Broker配置
在test01上配置/opt/program/kafkab/config/server-plain.properties
node.id=4process.roles=brokercontroller.quorum.voters=1@192.168.12.101:9093,2@192.168.12.102:9093,3@192.168.12.103:9093listeners=BROKER://:9092advertised.listeners=BROKER://192.168.12.101:9092 listener.security.protocol.map=BROKER:SASL_PLAINTEXT,CONTROLLER:SASL_PLAINTEXTinter.broker.listener.name=BROKERcontroller.listener.names=CONTROLLER sasl.enabled.mechanisms=PLAINsasl.mechanism.inter.broker.protocol=PLAINsasl.mechanism.controller.protocol=PLAIN super.users=User:adminallow.everyone.if.no.acl.found=trueauthorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer log.dirs=/opt/program/kafkab/data在test01上配置/opt/program/kafkab/config/jaas-plain.conf
KafkaServer { org.apache.kafka.common.security.plain.PlainLoginModule required serviceName=\"kafka\" username=\"admin\" password=\"abc123456\" user_admin=\"abc123456\";}; KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username=\"admin\" password=\"abc123456\" user_admin=\"abc123456\";};在test01上配置/opt/program/kafkab/config/sasl-plain.conf
security.protocol=SASL_PLAINTEXTsasl.mechanism=PLAINsasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username=\"admin\" password=\"abc123456\";在test01上配置/opt/program/kafkab/bin/kafka-server-start-plain.sh
cd /opt/program/kafkabrm -f bin/kafka-server-start-plain.shcp bin/kafka-server-start.sh bin/kafka-server-start-plain.shsed -i \'16i export KAFKA_OPTS=\" -Djava.security.auth.login.config=/opt/program/kafkab/config/jaas-plain.conf \" $KAFKA_OPTS\' bin/kafka-server-start-plain.sh在test01上配置/opt/program/kafkab/config/server-scram.properties
node.id=4process.roles=brokercontroller.quorum.voters=1@192.168.12.101:9093,2@192.168.12.102:9093,3@192.168.12.103:9093listeners=BROKER://:9092advertised.listeners=BROKER://192.168.12.101:9092 listener.security.protocol.map=BROKER:SASL_PLAINTEXT,CONTROLLER:SASL_PLAINTEXTinter.broker.listener.name=BROKERcontroller.listener.names=CONTROLLER sasl.enabled.mechanisms=SCRAM-SHA-512sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512sasl.mechanism.controller.protocol=PLAIN super.users=User:adminallow.everyone.if.no.acl.found=trueauthorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer log.dirs=/opt/program/kafkab/data在test02上配置/opt/program/kafkab/config/server-scram.properties
node.id=5process.roles=brokercontroller.quorum.voters=1@192.168.12.101:9093,2@192.168.12.102:9093,3@192.168.12.103:9093listeners=BROKER://:9092advertised.listeners=BROKER://192.168.12.102:9092 listener.security.protocol.map=BROKER:SASL_PLAINTEXT,CONTROLLER:SASL_PLAINTEXTinter.broker.listener.name=BROKERcontroller.listener.names=CONTROLLER sasl.enabled.mechanisms=SCRAM-SHA-512sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512sasl.mechanism.controller.protocol=PLAIN super.users=User:adminallow.everyone.if.no.acl.found=trueauthorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer log.dirs=/opt/program/kafkab/data在test03上配置/opt/program/kafkab/config/server-scram.properties
node.id=6process.roles=brokercontroller.quorum.voters=1@192.168.12.101:9093,2@192.168.12.102:9093,3@192.168.12.103:9093listeners=BROKER://:9092advertised.listeners=BROKER://192.168.12.103:9092 listener.security.protocol.map=BROKER:SASL_PLAINTEXT,CONTROLLER:SASL_PLAINTEXTinter.broker.listener.name=BROKERcontroller.listener.names=CONTROLLER sasl.enabled.mechanisms=SCRAM-SHA-512sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512sasl.mechanism.controller.protocol=PLAIN super.users=User:adminallow.everyone.if.no.acl.found=trueauthorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer log.dirs=/opt/program/kafkab/data在test01、test02、test03上配置/opt/program/kafkab/config/jaas-scram.conf
KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required serviceName=\"kafka\" username=\"admin\" password=\"abc123456\" user_admin=\"abc123456\";}; KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username=\"admin\" password=\"abc123456\" user_admin=\"abc123456\";};在test01、test02、test03上配置/opt/program/kafkab/bin/kafka-server-start-scram.sh
cd /opt/program/kafkabrm -f bin/kafka-server-start-scram.shcp bin/kafka-server-start.sh bin/kafka-server-start-scram.shsed -i \'16i export KAFKA_OPTS=\" -Djava.security.auth.login.config=/opt/program/kafkab/config/jaas-scram.conf \" $KAFKA_OPTS\' bin/kafka-server-start-scram.sh在test01上配置/opt/program/kafkab/config/sasl-scram.conf
security.protocol=SASL_PLAINTEXTsasl.mechanism=SCRAM-SHA-512sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=\"admin\" password=\"abc123456\";软件启动
格式化数据目录
# 在三台服务器的Controller目录中执行cd /opt/program/kafkac# 格式化raft数据目录,test是集群名称,随意bin/kafka-storage.sh format -t test -c config/server-plain.properties启动Controller
# 在三台服务器的Controller目录中执行cd /opt/program/kafkac# 启动Controllerbin/kafka-server-start-plain.sh -daemon config/server-plain.properties创建SCRAM认证的管理员账号
# 在test01上执行cd /opt/program/kafkab# 格式化数据目录bin/kafka-storage.sh format -t test -c config/server-plain.properties# 启动brokerbin/kafka-server-start-plain.sh -daemon config/server-plain.properties# 查看日志目录tail -10 logs/server.log# 日志最后会显示Kafka Server started# 等服务启动后,创建管理员账号bin/kafka-configs.sh --bootstrap-server 172.21.12.203:9092 --command-config config/sasl-plain.conf \\--alter --entity-type users \\--entity-name admin --add-config \'SCRAM-SHA-512=[password=abc123456]\'# 查看已经创建的账号bin/kafka-configs.sh --bootstrap-server 172.21.12.203:9092 --command-config config/sasl-plain.conf \\--describe --entity-type users # 停止这个进程ps -ef |grep java |grep kafkab |awk \'{print \"kill -9 \"$2}\' | sh启动Broker
# 在三台服务器的Broker目录中执行cd /opt/program/kafkab# 在test02和test03上执行# 格式化raft数据目录,test是集群名称是前面启动Controller的集群名称bin/kafka-storage.sh format -t test -c config/server-scram.properties# 在三台服务器上执行,启动Brokerbin/kafka-server-start-scram.sh -daemon config/server-scram.properties# 查看日志tail -100f logs/server.log集群验证
创建topic
# 在test01中操作 # 创建topicbin/kafka-topics.sh --bootstrap-server 192.168.12.101:9092 --command-config config/sasl-scram.conf --create --partitions 3 --replication-factor 3 --topic test1 # 查看topicbin/kafka-topics.sh --bootstrap-server 192.168.12.101:9092 --command-config config/sasl-scram.conf --describe --topic test1创建账号
# 在test01中操作 # 创建生产者用户bin/kafka-configs.sh --bootstrap-server 192.168.12.101:9092 --command-config config/sasl-scram.conf \\--alter --entity-type users \\--entity-name producer --add-config \'SCRAM-SHA-512=[password=abc123456]\' # 创建消费者用户bin/kafka-configs.sh --bootstrap-server 192.168.12.101:9092 --command-config config/sasl-scram.conf \\--alter --entity-type users \\--entity-name consumer --add-config \'SCRAM-SHA-512=[password=abc123456]\'授权
# 在test01中操作 # 授予producer权限bin/kafka-acls.sh --bootstrap-server 192.168.12.101:9092 --command-config config/sasl-scram.conf \\--add --allow-principal User:producer --producer --topic test1 # 授予consumer权限bin/kafka-acls.sh --bootstrap-server 192.168.12.101:9092 --command-config config/sasl-scram.conf \\--add --allow-principal User:consumer --consumer --topic test1 --group test1生产数据
# 在test01中操作 # 配置认证配置> config/sasl-scram-producer.confcat > config/sasl-scram-producer.conf << EOFsecurity.protocol=SASL_PLAINTEXTsasl.mechanism=SCRAM-SHA-512sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=\"producer\" password=\"abc123456\";EOF # 生产数据bin/kafka-console-producer.sh --bootstrap-server 192.168.12.101:9092 --producer.config config/sasl-scram-producer.conf --topic test1消费数据
# 在test01中操作 # 创建认证配置> config/sasl-scram-consumer.confcat > config/sasl-scram-consumer.conf << EOFsecurity.protocol=SASL_PLAINTEXTsasl.mechanism=SCRAM-SHA-512sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=\"consumer\" password=\"abc123456\";EOF # 消费数据bin/kafka-console-consumer.sh --bootstrap-server 192.168.12.101:9092 --consumer.config config/sasl-scram-consumer.conf --topic test1 --group test1 --from-beginning在生产者的窗口随意输入字符,会在消费者窗口中打印出来,说明运行正常
