在Debian系统下对Kafka进行安全配置,主要包括SSL/TLS加密和SASL认证两种方式。以下是详细的配置步骤:
创建一个目录来存储证书和密钥:
mkdir -p /etc/kafka/ssl
生成服务器证书和密钥:
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/server.key -x509 -days 365 -out /etc/kafka/ssl/server.crt
生成客户端证书和密钥(可选):
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/client.key -x509 -days 365 -out /etc/kafka/ssl/client.crt
server.properties,添加或修改以下配置:listeners=SSL://:9093
advertised.listeners=SSL://your_kafka_host:9093
ssl.keystore.location=/etc/kafka/ssl/server.jks
ssl.keystore.password=your_keystore_password
ssl.key.password=your_key_password
ssl.truststore.location=/etc/kafka/ssl/server.jks
ssl.truststore.password=your_truststore_password
ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.cipher.suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
client.properties,添加或修改以下配置:security.protocol=SSL
ssl.truststore.location=/etc/kafka/ssl/client.jks
ssl.keystore.location=/etc/kafka/ssl/client.jks
ssl.key.password=your_key_password
sudo systemctl restart kafka
/etc/kafka/conf目录下创建一个JAAS配置文件,例如kafka_server_jaas.conf:KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
};
server.properties,添加或修改以下配置:listeners=SASL_SSL://:9093
advertised.listeners=SASL_SSL://your_kafka_host:9093
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN,SCRAM-SHA-256
sasl.client.mechanism.list=PLAIN,SCRAM-SHA-256
sasl.jaas.config=/etc/kafka/conf/kafka_server_jaas.conf
producer.properties或consumer.properties文件中配置SASL认证:security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.username=admin
sasl.password=admin-secret
sudo systemctl restart kafka
以上步骤提供了在Debian系统上为Kafka配置SSL加密和SASL认证的基本流程。请根据实际环境和需求调整配置细节。