我有裸金属Kafka集群与客户端和代理之间的sasl_plaintext授权。
export USERNAME="test-app"
export PASSWORD="password"
export TOPIC="test-app-logs"
export CONSUMER_GROUP="test-app-consumer-group"
我创建了主题test-app-logs
,在jaas.conf
中创建了用户test-app
,设置了ACL。以下是它们:
$ bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=zookeeper:2181 --list --topic $TOPIC
Current ACLs for resource `Topic:LITERAL:test-app-logs`:
User:test-app has Allow permission for operations: Read from hosts: *
User:test-app has Allow permission for operations: Describe from hosts: *
User:test-app has Allow permission for operations: All from hosts: *
User:test-app has Allow permission for operations: Write from hosts: *
$ bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=zookeeper:2181 --list --group $CONSUMER_GROUP
Current ACLs for resource `Group:LITERAL:test-app-consumer-group`:
User:test-app has Allow permission for operations: Read from hosts: *
User:test-app has Allow permission for operations: Describe from hosts: *
User:test-app has Allow permission for operations: All from hosts: *
现在我想产生一些消息,然后消费它。
这和预期的一样。
echo "hello" | /opt/kafka/bin/kafka-console-producer.sh \
--broker-list localhost:9092 \
--topic $TOPIC \
--producer-property security.protocol=sasl_plaintext \
--producer-property sasl.mechanism=PLAIN \
--producer-property sasl.jaas.config="org.apache.kafka.common.security.plain.PlainLoginModule required username='$USERNAME' password='$PASSWORD';"
这不起作用:
bin/kafka-console-consumer.sh --from-beginning \
--bootstrap-server localhost:9092 \
--group $CONSUMER_GROUP \
--topic $TOPIC \
--consumer-property security.protocol=sasl_plaintext \
--consumer-property sasl.mechanism=PLAIN \
--consumer-property sasl.jaas.config="org.apache.kafka.common.security.plain.PlainLoginModule required username='$USERNAME' password='$PASSWORD';"
问题是我不能使用group.id test-app-consumer-group
主题,因为错误:
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: test-app-consumer-group
我仍然可以使用分区而不是组,这很好:
bin/kafka-console-consumer.sh --from-beginning \
--bootstrap-server localhost:9092 \
--topic $TOPIC \
--consumer-property security.protocol=sasl_plaintext \
--consumer-property sasl.mechanism=PLAIN \
--consumer-property sasl.jaas.config="org.apache.kafka.common.security.plain.PlainLoginModule required username='$USERNAME' password='$PASSWORD';" \
--partition 0
我做错了什么?要在新主题中生成和使用消息,我应该正确配置ACL?
Kafka version: 2.4.1
Kafka commitId: c57222ae8cd7866b
1条答案
按热度按时间yyhrrdl81#
根据所描述的错误,手动分区分配可以工作,而添加消费者组不能,那么这将把问题隔离到
__consumer_offsets
主题的授权。类似地,对于生产者,您需要将控件添加到
__transaction_state
主题。其他流程也使用其他内部主题,但这些是默认值。