在Linux上配置Kafka的安全设置主要包括以下几个方面:
/etc/kafka
目录下创建kafka_server_jaas.conf
和kafka_client_jaas.conf
文件,配置用户名和密码。KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
}
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="client"
password="client-secret";
}
-Djava.security.auth.login.config
参数,指定JAAS配置文件路径。export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf"
server.properties
:启用SASL认证并配置监听器。listeners=SASL_SSL://:9093
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
producer.properties
或consumer.properties
中启用SASL认证。security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret";
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/server.key -x509 -days 365 -out /etc/kafka/ssl/server.crt
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/client.key -x509 -days 365 -out /etc/kafka/ssl/client.crt
server.properties
:启用SSL并配置相关证书路径。listeners=SSL://:9093
security.inter.broker.protocol=SSL
ssl.keystore.location=/etc/kafka/ssl/server.jks
ssl.keystore.password=your_keystore_password
ssl.key.password=your_key_password
ssl.truststore.location=/etc/kafka/ssl/server.jks
ssl.truststore.password=your_truststore_password
security.protocol=SSL
ssl.truststore.location=/etc/kafka/ssl/client.jks
ssl.truststore.password=your_truststore_password
ssl.keystore.location=/etc/kafka/ssl/client.jks
ssl.keystore.password=your_keystore_password
server.properties
中配置授权器类。authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
kafka-acls.sh
工具创建ACL规则。kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:alice --operation Read --topic my-topic
kafka-acls.sh --list
命令查看当前ACL规则。audit.log.enabled=true
以上步骤涵盖了在Linux上配置Kafka的基本安全设置,包括SASL认证、SSL加密、权限控制(ACLs)、监控与审计以及可选的高级认证(如Kerberos)。根据具体需求和环境,可能还需要进行更多的配置和调整。