谁在为 kafka 集群设置授权 [英] Who is setting up the authorizations for kafka cluster

问题描述

我有一个 3 节点的 Kafka 集群和 2 个用于生产者和消费者的 kafka 客户端.我已启用 SSL 身份验证.我想为集群启用授权.我在代理节点的 server.properties 中添加了以下属性.

I am having a 3 node Kafka cluster and 2 kafka clients for producer and consumer. I have enabled SSL authentication. I want to enable authorizations for the cluster. I have added the below property in my server.properties in broker nodes.

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

我知道是zookeeper存储了acl信息.我想知道谁可以为不同的客户端设置授权.授权是如何设置的?

I know that it is the zookeeper which stores the acl information. I want to know who can set the authorizations for different clients. And how is the authorizations set?

推荐答案

设置authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer 后，集群会检查每个连接通过授权给经纪人.

After you've set the authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer, the cluster checks for every connection to the broker via authorization.

谁可以为不同的客户端设置授权?
我认为任何可以执行 kafka-acls.sh 可执行文件的用户都可以设置授权.如果您需要限制只有自己的权限，您可以将文件的权限更改为 700.

Who can set the authorization for different clients?
I think any user who can execute the kafka-acls.sh executable can set the authorization. If you need to limit the ability to only yourself, you could change the permissions of the file to 700.

授权是怎么设置的?
设置 SimpleAclAuthorizer 后，默认情况下，除非在 ACL 中指定，否则不允许用户访问任何资源.您可以按如下方式添加新的 ACL:

How is the authorization set?
After setting the SimpleAclAuthorizer, by default, users are not allowed access to any resource unless it's specified in the ACLs. You can add a new ACL as follows:

bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob --allow-principal User:Alice --allow-host 198.51.100.0 --allow-host 198.51.100.1 --operation Read --operation Write --topic Test-topic

上面的命令添加了一个 ACL，表示允许用户 Bob 和 Alice 从主机 198.51.100.0,198.51.100.1 进行连接，对主题Test-topic"进行读"和写"操作.此处已清楚地解释了添加和删除 ACL.
如果您有任何疑问，请告诉我.

The above command adds an ACL which indicates to allow users Bob and Alice connecting from hosts 198.51.100.0,198.51.100.1, 'read' and 'write' operation on the topic 'Test-topic'. Adding and removing ACLs has been explained clearly here.
Let me know if you have any more doubts.

这篇关于谁在为 kafka 集群设置授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！