谁在设置kafka集群的授权 [英] Who is setting up the authorizations for kafka cluster

问题描述

我有一个3节点的Kafka集群和2个针对生产者和消费者的kafka客户端.我已启用SSL身份验证.我想为集群启用授权.我在代理节点的server.properties中添加了以下属性.

I am having a 3 node Kafka cluster and 2 kafka clients for producer and consumer. I have enabled SSL authentication. I want to enable authorizations for the cluster. I have added the below property in my server.properties in broker nodes.

authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

我知道存储acl信息的是动物园管理员.我想知道谁可以为不同的客户设置授权.以及如何设置授权?

I know that it is the zookeeper which stores the acl information. I want to know who can set the authorizations for different clients. And how is the authorizations set?

推荐答案

设置 authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer 后，集群将检查每个连接通过授权给经纪人.

After you've set the authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer, the cluster checks for every connection to the broker via authorization.

谁可以为不同的客户端设置授权?
我认为任何可以执行kafka-acls.sh可执行文件的用户都可以设置授权.如果您只需要限制自己的权限，则可以将文件的权限更改为700.

Who can set the authorization for different clients?
I think any user who can execute the kafka-acls.sh executable can set the authorization. If you need to limit the ability to only yourself, you could change the permissions of the file to 700.

授权设置如何?
设置 SimpleAclAuthorizer 后，默认情况下，除非在ACL中指定了资源，否则不允许用户访问任何资源.您可以添加新的ACL，如下所示:

How is the authorization set?
After setting the SimpleAclAuthorizer, by default, users are not allowed access to any resource unless it's specified in the ACLs. You can add a new ACL as follows:

bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob --allow-principal User:Alice --allow-host 198.51.100.0 --allow-host 198.51.100.1 --operation Read --operation Write --topic Test-topic

上面的命令添加了一个ACL，该ACL指示允许用户Bob和Alice从主机198.51.100.0、198.51.100.1进行连接，并在主题"Test-topic"上进行读取"和写入"操作.此处清楚地说明了添加和删除ACL.
如果您还有其他疑问，请告诉我.

The above command adds an ACL which indicates to allow users Bob and Alice connecting from hosts 198.51.100.0,198.51.100.1, 'read' and 'write' operation on the topic 'Test-topic'. Adding and removing ACLs has been explained clearly here.
Let me know if you have any more doubts.

这篇关于谁在设置kafka集群的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！