Kafka 0.9.1授权 [英] Kafka 0.9.1 authorization
问题描述
我正在探索Kafka 0.9.1的安全功能,但无法成功使用它.
I am exploring on the Security capabilities of Kafka 0.9.1 but unable to use it successfully.
我在server.properties中设置了以下配置
I have set below configuration in my server.properties
allow.everyone.if.no.acl.found = falsesuper.users =用户:root;用户:kafka
我使用以下命令创建了ACL
I created an ACL using below command
./kafka-acls.sh --authorizer-properties zookeeper.connect = --add --allow-principal用户:imit --allow-host --topic imit --producer --consumer-组模仿消费者组
我看到下面的回复
资源 Topic:imit 的当前ACL:User:imit具有允许操作许可:从主机描述:User:imit具有允许"操作权限:从主机读取:User:imit具有允许操作"权限:从主机写入:
Current ACLs for resource Topic:imit:
User:imit has Allow permission for operations: Describe from hosts:
User:imit has Allow permission for operations: Read from hosts:
User:imit has Allow permission for operations: Write from hosts:
注意:在<>中提到的值将替换为问题中的一些虚拟值,并在创建ACL时正确使用
Note: Values mentioned in <> are replaced with some dummy values in the question and used correctly while creating the ACL
我有以下发现:
a)尽管我定义了模仿主题的规则,以便可以从给定主机访问特定主题,但是我仍可以使用任何用户帐户从任何主机写入主题.
a) Though I define the rule for imit topic to access for a particular using from a given host yet I can write to the topic from any host using any user account.
b)我无法从任何主机或任何用户帐户(即使使用我为其定义规则的帐户)读取来自主题的消息.
b) I am unable to read the messages from topic from any host or any user account (even using the one for which I have defined the rules).
我在RHEL 6.7上运行Kafka,所有用户都是本地用户.
I am running Kafka on RHEL 6.7 and all the users are local.
感谢有人可以指导我是否缺少用于管理授权的任何配置参数或命令,或者Kafka行为是否异常.
Appreciate if someone can guide if I am missing any configuration parameters or commands to manage authorization or if Kafka is behaving in a weird way.
我还能在Kafka中获得与授权相关的日志吗?
Also where can I getting authorization related logs in Kafka?
感谢&问候
Sudeep
推荐答案
您可能在Server.properties中缺少以下设置.
You are probably missing the below settings, in your Server.properties.
authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
-添加此行将使ACL能够通过SimpleAclAuthorizer起作用.-默认情况下,Kafka随附由参数authorizer.class.name
-- Adding this line would enable the ACL to work via SimpleAclAuthorizer. -- Kafka by default comes with the kafka.security.auth.SimpleAclAuthorizer defined by the parameter authorizer.class.name
您可以尝试以下设置,它可能会给出完整的想法.
you can try the below setup which might give complete idea.
https://github.com/Symantec/kafka-security-0.9
这篇关于Kafka 0.9.1授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
