在Debian系统上配置Kafka的安全性主要包括启用SSL/TLS加密、添加认证配置(如SASL)、配置防火墙、限制访问权限、监控和审计等。以下是详细的步骤:
mkdir -p /etc/kafka/ssl
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/server.key -x509 -days 365 -out /etc/kafka/ssl/server.crt
openssl req -newkey rsa:2048 -nodes -keyout /etc/kafka/ssl/client.key -x509 -days 365 -out /etc/kafka/ssl/client.crt
/etc/kafka/server.properties 文件,添加或修改以下配置:listeners=SSL://:9093
security.inter.broker.protocol=SSL
ssl.keystore.location=/etc/kafka/ssl/server.jks
ssl.keystore.password=your_keystore_password
ssl.key.password=your_key_password
ssl.truststore.location=/etc/kafka/ssl/server.jks
ssl.truststore.password=your_truststore_password
ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.cipher.suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
/etc/kafka/kafka_server_jaas.conf:KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="/home/admin";
}
server.properties 中添加:sasl_ssl://:9093
security.inter.broker.protocol=SASL_SSL
server.properties 中添加:sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="/home/admin";
使用 iptables 或 ufw 配置防火墙规则,仅允许必要的端口(如9092、9093)对外开放:
sudo ufw allow 9092/tcp
sudo ufw allow 9093/tcp
sudo groupadd kafka
sudo useradd -g kafka kafka
sudo chown -R kafka:kafka /var/lib/kafka
sudo chown -R kafka:kafka /var/log/kafka
sudo chown -R kafka:kafka /etc/kafka
sudo chmod -R 750 /var/lib/kafka
sudo chmod -R 750 /var/log/kafka
sudo chmod -R 750 /etc/kafka
/etc/init.d/kafka 或 /etc/systemd/system/kafka.service),确保它以 kafka 用户身份运行。