使用Kerberos从Windows连接到Unix上的Kafka [英] Connect to Kafka on Unix from Windows with Kerberos
问题描述
我对Kafka还是很陌生,所以请多多包涵.这是我的设置. 我在统一框上托管了kafka.聚集.在域中说B. 客户端在Windows上.并尝试使用域A连接到托管在B上的kafka. 我有密钥表.和krb5.这两个都在环境中设置. krb5.ini(并设置为envt变量KRB5_CONFIG)
I'm quite new to Kafka so please bear with me. Here is my set up. I have kafka hosted on a unix box. Clustered. and in a domain say B. client is on windows. and am trying to connect to kafka hosted on B using a domain A. I have the keytab. and krb5. both these are set up in the envt. krb5.ini(and is set to envt variable KRB5_CONFIG)
[logging]
default = CONSOLE
admin_server = CONSOLE
kdc = CONSOLE
[libdefaults]
renew_lifetime = 7d
clockskew = 324000
forwardable = true
proxiable = true
renewable = true
default_realm = some.something.COM
dns_lookup_realm = true
dns_lookup_kdc = false
default_tgs_enctypes = somethingelse
default_tkt_enctypes = somethingelse
[appdefaults]
renewable = true
[realms]
some.something.COM = {
kdc = some.something.COM
admin_server = some.something.COM
}
我还设置了Jaas.config(以我的情况为Kafka.client.ini,并设置为envt变量KAFKA_CLIENT_KERBEROS_PARAMS),以下是配置
I also have set up Jaas.config(Kafka.client.ini in my case and is set to envt variable KAFKA_CLIENT_KERBEROS_PARAMS) below is the config
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="sample.keytab"
storeKey=true
useTicketCache=true
serviceName="kafka"
principal="svcacc@some.something.COM";
};
下载了apache kafka_2.12-0.10.2.1.tgz并正在执行此命令.
downloaded apache kafka_2.12-0.10.2.1.tgz and am executing this command.
kafka-console-producer.bat --broker-list <broker list> --topic <mytopic> --security-protocol SASL_PLAINTEXT
无论我做了什么更改,我始终会遇到错误
no matter what i change i keep getting below error
安全协议不是公认的选项"
"security-protocol is not a recognised option"
有人可以帮我吗? 我还在producer.properties中的props下面添加了.但似乎没有任何改变.我不确定我缺少什么
can someone please help me in this? i also added below props in producer.properties. but nothing seems to change. I'm not sure what i'm missing
security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
我什至尝试在kafka-console-producer.bat中设置此属性,但是没有运气
I even tried setting this property in kafka-console-producer.bat but with no luck
set KAFKA_CLIENT_KERBEROS_PARAMS=- Djava.security.auth.login.config=..\..\config\kafka_Connection.ini
期待您的投入.非常感谢(我目前无法控制kafka服务器,也无法解释为什么它托管在域B中)
looking forward for your inputs. Many thanks (i've no control as of now on kafka server nor i will be able to explain why its hosted on domain B)
推荐答案
免责声明:我对Kafka不太熟悉,并且该错误消息也不能明确暗示Kerberos问题.
但是鉴于这是跨领域的情况,您迟早会 遇到Kerberos障碍...
Disclaimer: I'm not too familiar with Kafka, and that error message does not clearly hint at a Kerberos problem.
But given that this is a cross-realm situation, you will probably hit a Kerberos snag sooner or later...
从Kerberos MIT文档中的krb5.conf
部分 [capaths]
From Kerberos MIT documentation about krb5.conf
section [capaths]
为了执行 direct (非分层)跨领域 身份验证,需要配置来确定 领域之间的身份验证路径.
In order to perform direct (non-hierarchical) cross-realm authentication, configuration is needed to determine the authentication paths between realms.
客户端将使用此部分查找之间的身份验证路径 它的领域和服务器的领域.
A client will use this section to find the authentication path between its realm and the realm of the server.
换句话说,对于主体wtf@USERS.CORP.DMN
,您将获得Kerberos TGT(票证授予票),但对于kafka/brokerhost.some.where@SERVERS.CORP.DMN
,则需要Kerberos服务票证.每个领域都有其自己的KDC服务器.您的Kerberos客户端(在这种情况下为Java实现)必须具有从一个域跳"到另一个域
In other words, you get a Kerberos TGT (ticket-granting-ticket) for principal wtf@USERS.CORP.DMN
but need a Kerberos service ticket for kafka/brokerhost.some.where@SERVERS.CORP.DMN
. Each realm has its own KDC servers. Your Kerberos client (the Java implementation in this case) must have a way to "hop" from one domain to the others
方案1 >>这两个领域都是相互信任的兄弟" AD域,并且它们使用默认的等级关系-表示在
USERS
到SERVERS
的路径中有一个名为CORP.DMN
的父亲" AD域.
Scenario 1 >> both realms are "brother" AD domains with mutual trust, and they use the default hierarchical relationship -- meaning that there is a "father" AD domain named
CORP.DMN
that is in the path from USERS
to SERVERS
.
您的krb5.conf
应该看起来像这样...
Your krb5.conf
should look like this...
[libdefaults]
default_realm = USERS.CORP.DMN
kdc_timeout = 3000
...
...
[realms]
USERS.CORP.DMN = {
kdc = roundrobin.siteA.users.corp.dmn
kdc = roundrobin.bcp.users.corp.dmn
}
SERVERS.CORP.DMN = {
kdc = dc1.servers.corp.dmn
kdc = dc2.servers.corp.dmn
kdc = roundrobin.bcp.servers.corp.dmn
}
CORP.DMN = {
kdc = roundrobin.corp.dmn
kdc = roundrobin.bcp.corp.dmn
}
...假设您在每个域中都有多个AD域控制器,有时在DNS别名后面进行循环分配,以及在单独的站点上为BCP/DRP设置另一组DC.可能比这更简单:-)
...assuming you have multiple AD Domain Controllers in each domain, sometimes behind DNS aliases doing round-robin assignment, plus another set of DC on a separate site for BCP/DRP. It could be more simple than that :-)
方案2 >>已启用信任,但关系不使用默认的分层路径.
Scenario 2 >> there is trust enabled but the relationship does not use the default, hierarchical path.
在这种情况下,您必须在[capaths]
部分中明确定义该路径",如Kerberos文档中所述.
In that case you must define explicitly that "path" in a [capaths]
section, as explained in the Kerberos documentation.
场景3 >>域之间没有信任.你被搞砸了.
Scenario 3 >> there is no trust between realms. You are screwed.
或者,您必须获得可以与Kafka经纪人在同一域上进行身份验证的其他用户,例如xyz@SERVERS.CORP.DMN
.
也许可以使用声明default_realm = SERVERS.CORP.DMN
的特定krb5.conf
(例如,我已经看到Windows上某些JDK版本的怪异行为)
Or rather, you must obtain a different user that can authenticate on the same domain as the Kafka broker, e.g. xyz@SERVERS.CORP.DMN
.
And maybe use a specific krb5.conf
that states default_realm = SERVERS.CORP.DMN
(I've seen weird behaviors of some JDK versions on Windows, for example)
底线:您必须要求广告管理员的帮助.也许他们不熟悉原始Kerberos conf,但是他们将了解信任关系和路径".此时,只需遵循正确的
krb5.conf
语法即可.
或者,也许conf已经由Linux管理员完成了;因此,您应该提供一个标准krb5.conf
的示例,以检查其中是否存在跨域内容.
Or, maybe, that conf has already been done by the Linux administrators; so you should require an example of their standard krb5.conf
to check whether there is cross-domain stuff in there.
当然,您应该在Kafka生产者中启用 Kerberos调试跟踪:
And of course you should enable Kerberos debug traces in your Kafka producer:
-Dsun.security.krb5.debug=true
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
仅作记录,但在这里没有用...在HTTP(SPNego)上使用Keberos时,还有一个附加标志-Dsun.security.spnego.debug=true
Just for the record, but not useful here... when using Keberos over HTTP (SPNego) there's an additional flag-Dsun.security.spnego.debug=true
这篇关于使用Kerberos从Windows连接到Unix上的Kafka的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!