在Debian上为Kafka设置安全性的方法主要包括配置SASL认证和SSL加密。以下是详细的步骤:
/usr/local/zookeeper-3.4.14/conf/zoo.cfg,添加或修改以下行以启用SASL:ticktime=2000
initlimit=1
synclimit=5
datadir=/data/zookeeper/data
clientport=2181
admin.serverport=8888
maxclientcnxns=3000
autopurge.snapretaincount=3
autopurge.purgeinterval=24
server.1=192.xxx.xxx.112:2888:3888
server.2=192.xxx.xxx.114:2888:3888
server.3=192.xxx.xxx.115:2888:3888
4lw.commands.whitelist=conf,stat,srvr,mntr
# zk saslauthprovider.1=org.apache.zookeeper.server.auth.saslauthenticationprovider.jaas.JAASLoginModule required username="admin" password="admin123";
/usr/local/zookeeper-3.4.14/conf/zk_jaas.conf,内容如下:server {
org.apache.zookeeper.server.auth.digestloginmodule required
username="admin"
password="admin123";
};
/usr/local/zookeeper-3.4.14/bin/zkenv.sh,添加JAAS配置文件路径:zoobindir="${zoobindir:-/usr/bin}"
zookeeper_prefix="${zoobindir}/.."
# 新增变量
server_jvmflags="-djava.security.auth.login.config=/usr/local/zookeeper-3.4.14/conf/zk_jaas.conf"
/usr/local/kafka/config/server.properties 中添加或修改以下配置:listeners=SASL_PLAINTEXT://:9092,SSL://:9093"
advertised.listeners=SASL_PLAINTEXT://172.139.20.17:9092,SSL://172.139.20.17:9093"
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=SCRAM-SHA-256
systemctl restart zookeeper
openssl req -new -x509 -nodes -keyout ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=GuangDong/L=GuangZhou/CN=Kafka Root CA"
keytool -keystore kafka.server.truststore.p12 -storetype PKCS12 -alias CARoot -import -file ca.crt -storepass truststore_password -noprompt
keytool -keystore kafka.server.keystore.p12 -storetype PKCS12 -alias localhost -validity 3650 -genkey -keyalg RSA -keysize 2048 -storepass keystore_password -dname "C=CN/ST=GuangDong/L=GuangZhou/CN=kafka-server"
keytool -keystore kafka.server.keystore.p12 -storetype PKCS12 -alias localhost -certreq -file server.csr -storepass keystore_password
openssl x509 -req -CA ca.crt -CAkey ca.key -in server.csr -out server-signed.crt -days 3650 -CAcreateserial -extfile <(printf "subjectAltName=IP:172.139.20.17,IP:172.139.20.81,IP:172.139.20.177")
keytool -keystore kafka.server.keystore.p12 -storetype PKCS12 -alias CARoot -import -file ca.crt -storepass truststore_password -noprompt
keytool -keystore kafka.server.keystore.p12 -storetype PKCS12 -alias localhost -import -file server-signed.crt -storepass keystore_password -noprompt
/usr/local/kafka/config/server.properties 中添加或修改以下配置:listeners=SSL://:9093
advertised.listeners=SSL://172.139.20.17:9093
ssl.keystore.location=/app/kafka/server.keystore.p12
ssl.keystore.password=keystore_password
ssl.key.password=key_password
ssl.truststore.location=/app/kafka/server.truststore.p12
ssl.truststore.password=truststore_password
ssl.enabled.protocols=TLSv1.2
ssl.client.auth=required
systemctl restart kafka
以上步骤为Kafka在Debian上配置了SASL认证和SSL加密,以提高系统的安全性。请根据实际环境和需求调整配置细节。
亿速云「云服务器」,即开即用、新一代英特尔至强铂金CPU、三副本存储NVMe SSD云盘,价格低至29元/月。点击查看>>
相关推荐:Debian Kafka安全设置怎么做