我将按照此处和此处的说明向我的confluent-3.0.1 kafka集群添加ssl安全性。
在下面的linux事务片段中,我用myservera、myserverb和myserverc替换了我的服务器名。我还隐藏了密码。这是我第一次在留言板上发帖。我为这篇文章的任何格式错误的部分道歉。
我的问题:
什么acl控制下面显示的获取偏移量的访问?我需要更改配置或ssl密钥吗?
非常感谢您能提供的任何帮助。
我能够通过ssl使用kafka控制台生产者生成数据,但是不能使用kafka控制台消费者读取数据。我收到以下错误:
[kafka@myserverA confluent-3.0.1]$ /kafka/confluent-3.0.1/bin/kafka-console-consumer --bootstrap-server myserverA:9093 --zookeeper myserverA:2181/kafka --topic ssl-test --from-beginning --new-consumer --consumer.config /kafka/data/client/ssl/client.properties
[2017-06-27 13:11:50,462] WARN Attempt to fetch offsets for partition ssl-test-0 failed due to: Not authorized to access topics: [Topic authorization failed.] (org.apache.kafka.clients.consumer.internals.Fetcher)
[2017-06-27 13:11:50,473] WARN Error while fetching metadata with correlation id 6 : {ssl-test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2017-06-27 13:11:50,476] ERROR Unknown error when running consumer: (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [ssl-test]不清楚我的问题是在客户机配置中,还是在代理间配置中。
我的三个代理上的server.properties文件都包含以下内容:
###################### SSL Configuration ################
#
ssl.keystore.location=/kafka/data/ssl/keystore/kafka.keystore.jks
ssl.keystore.password=<hidden for this posting>
ssl.key.password=<hidden for this posting>
ssl.truststore.location=/kafka/data/ssl/truststore/kafka.truststore.jks
ssl.truststore.password=<hidden for this posting>
ssl.client.auth=requested
# ssl.cipher.suites=
ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS
security.inter.broker.protocol=ssl
# #### Enable ACLs ####
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
super.users=User:CN=myserverA,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US;User:myserverB,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US;User:CN=myserverC,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US我对producer.config和consumer.config使用相同的client.properties。它包含以下内容:
###################### SSL Configuration ################
#
security.protocol=ssl
ssl.keystore.location=/kafka/data/client/ssl/keystore/kafka.client.keystore.jks
ssl.keystore.password=<hidden for this posting>
ssl.key.password=<hidden for this posting>
ssl.truststore.location=/kafka/data/client/ssl/truststore/kafka.client.truststore.jks
ssl.truststore.password=<hidden for this posting>
# ssl.provider=
# ssl.cipher.suites=
ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1
ssl.keystore.type = JKS
ssl.truststore.type = JKS我在ssl测试主题上有大量acl授权。我尝试过:1)在逗号后带有空格的ssl dnames,2)在逗号后没有空格的ssl dnames,3)代理证书的ssl公共名称
[root@myserverA ~]# /kafka/confluent-3.0.1/bin/kafka-acls --authorizer-properties zookeeper.connect=myserverA:2181/kafka --list --topic ssl-test
Current ACLs for resource `Topic:ssl-test`:
User:CN=Test Client,OU=Test Client Unit,O=Test Client Org,L=LA,ST=CA,C=US has Allow permission for operations: Read from hosts: *
User:CN=Test Client, OU=Test Client Unit, O=Test Client Org, L=LA, ST=CA, C=US has Allow permission for operations: Read from hosts: *
User:myserverA has Allow permission for operations: Write from hosts: *
User:myserverC has Allow permission for operations: Read from hosts: *
User:CN=myserverB,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Write from hosts: *
User:CN=myserverA,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Read from hosts: *
User:Test Client has Allow permission for operations: Read from hosts: *
User:Test Client has Allow permission for operations: Write from hosts: *
User:myserverB has Allow permission for operations: Write from hosts: *
User:CN=Test Client,OU=Test Client Unit,O=Test Client Org,L=LA,ST=CA,C=US has Allow permission for operations: Write from hosts: *
User:CN=myserverC,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Read from hosts: *
User:CN=myserverA,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Write from hosts: *
User:CN=myserverB,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Read from hosts: *
User:myserverB has Allow permission for operations: Read from hosts: *
User:myserverA has Allow permission for operations: Read from hosts: *
User:CN=Test Client, OU=Test Client Unit, O=Test Client Org, L=LA, ST=CA, C=US has Allow permission for operations: Write from hosts: *
ser:myserverC has Allow permission for operations: Write from hosts: *
ser:CN=myserverC,OU=NBCUniversal,O=NBCUniversal,L=NY,ST=NY,C=US has Allow permission for operations: Write from hosts: *kafka控制台生成器通常通过ssl运行:
[kafka@myserverA confluent-3.0.1]$ bin/kafka-console-producer --broker-list myserverA:9093 --topic ssl-test --producer.config /kafka/data/client/ssl/client.properties
j
k
<Ctrl-D>
2条答案
按热度按时间drnojrws1#
我的kafka ssl配置中存在多个问题。但是,运行kafka console consumer时出现显式错误“warn attempt to fetch offsets for partition ssl-test-0 failed…”,原因是kafka节点b和c的信任库中未包含客户端证书。
dtcbnfnu2#
根据文档,消费者需要阅读和描述主题,以及需要阅读的消费者群体。选择
--consumer可以方便地将所有这些设置为一次;以他们为例: