保护对 Kafka Connect 的 REST API 的访问 [英] Securing access to REST API of Kafka Connect
问题描述
用于 Kafka Connect 的 REST API 未受到保护和身份验证.由于未经身份验证,任何人都可以轻松访问连接器或任务的配置.由于这些配置可能包含有关如何访问源系统 [在 SourceConnector 的情况下] 和目标系统 [在 SinkConnector 的情况下] 的内容,是否有标准方法来限制对这些 API 的访问?
The REST API for Kafka Connect is not secured and authenticated. Since its not authenticated, the configuration for a connector or Tasks are easily accessible by anyone. Since these configurations may contain about how to access the Source System [in case of SourceConnector] and destination system [in case of SinkConnector], Is there a standard way to restrict access to these APIs?
推荐答案
在 Kafka 2.1.0 中,可以在不编写任何自定义代码的情况下为 Kafka Connect 的 REST 接口配置 http 基本身份验证.
In Kafka 2.1.0, there is possibility to configure http basic authentication for REST interface of Kafka Connect without writing any custom code.
由于 REST 扩展机制的实现,这成为现实(参见 KIP-285).
This became real due to implementation of REST extensions mechanism (see KIP-285).
简而言之,配置过程如下:
Shortly, configuration procedure as follows:
- 将扩展类添加到工作器配置文件:
rest.extension.classes = org.apache.kafka.connect.rest.basic.auth.extension.BasicAuthSecurityRestExtension
- 为应用程序名称KafkaConnect"创建 JAAS 配置文件(即
connect_jaas.conf):
KafkaConnect {
org.apache.kafka.connect.rest.basic.auth.extension.PropertyFileLoginModule required
file="/your/path/rest-credentials.properties";
};
- 在上述目录中创建
rest-credentials.properties文件:
user=password
- 最后,将您的 JAAS 配置文件通知 java,例如,通过向 java 添加命令行属性:
-Djava.security.auth.login.config=/your/path/connect_jaas.conf
重启 Kafka Connect 后,如果没有基本身份验证,您将无法使用 REST API.
After restarting Kafka Connect, you will be unable to use REST API without basic authentication.
请记住,使用过的类只是示例,而不是生产就绪的功能.
Please keep in mind that used classes are rather examples than production-ready features.
链接:
这篇关于保护对 Kafka Connect 的 REST API 的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
