Kafka 0.9.1 授权 [英] Kafka 0.9.1 authorization
问题描述
我正在探索 Kafka 0.9.1 的安全功能,但无法成功使用.
I am exploring on the Security capabilities of Kafka 0.9.1 but unable to use it successfully.
我在 server.properties 中设置了以下配置
I have set below configuration in my server.properties
allow.everyone.if.no.acl.found=falsesuper.users=User:root;User:kafka
我使用以下命令创建了一个 ACL
I created an ACL using below command
./kafka-acls.sh --authorizer-properties zookeeper.connect= --add --allow-principal User:imit --allow-host --topic imit --producer --consumer --group immit-consumer-group
我看到下面的回复
资源 Topic:imit
的当前 ACL:用户:imit 具有允许操作权限: 来自主机的描述:用户:imit 具有允许操作权限:从主机读取:用户:imit 具有允许操作权限:从主机写入:
Current ACLs for resource Topic:imit
:
User:imit has Allow permission for operations: Describe from hosts:
User:imit has Allow permission for operations: Read from hosts:
User:imit has Allow permission for operations: Write from hosts:
注意:<> 中提到的值被替换为问题中的一些虚拟值,并在创建 ACL 时正确使用
Note: Values mentioned in <> are replaced with some dummy values in the question and used correctly while creating the ACL
我有以下观察:
a) 虽然我定义了 imit topic 的规则,以便从给定主机访问特定用途,但我可以使用任何用户帐户从任何主机写入主题.
a) Though I define the rule for imit topic to access for a particular using from a given host yet I can write to the topic from any host using any user account.
b) 我无法从任何主机或任何用户帐户(即使使用我为其定义规则的帐户)读取来自主题的消息.
b) I am unable to read the messages from topic from any host or any user account (even using the one for which I have defined the rules).
我在 RHEL 6.7 上运行 Kafka,所有用户都是本地用户.
I am running Kafka on RHEL 6.7 and all the users are local.
感谢是否有人可以指导我是否缺少管理授权的任何配置参数或命令,或者 Kafka 是否以奇怪的方式运行.
Appreciate if someone can guide if I am missing any configuration parameters or commands to manage authorization or if Kafka is behaving in a weird way.
还有我在哪里可以获取 Kafka 中与授权相关的日志?
Also where can I getting authorization related logs in Kafka?
谢谢&问候,
深沉
推荐答案
您的 Server.properties 中可能缺少以下设置.
You are probably missing the below settings, in your Server.properties.
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
-- 添加此行将使 ACL 能够通过 SimpleAclAuthorizer 工作.-- Kafka默认自带了参数authorizer.class.name定义的kafka.security.auth.SimpleAclAuthorizer
-- Adding this line would enable the ACL to work via SimpleAclAuthorizer. -- Kafka by default comes with the kafka.security.auth.SimpleAclAuthorizer defined by the parameter authorizer.class.name
您可以尝试以下设置,这可能会给出完整的想法.
you can try the below setup which might give complete idea.
https://github.com/Symantec/kafka-security-0.9
这篇关于Kafka 0.9.1 授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!