setup kerberos with kafka

최대 1 분 소요

kerberos error

yum install -y krb5-server

vi /var/kerberos/krb5kdc/kdc.conf

vi /var/kerberos/krb5kdc/kadm5.acl

vi /etc/krb5.conf

/usr/sbin/kdb5_util create -s -r KAFKA.SECURE -P this-is-unsecure

Setup kerberos

systemctl restart  krb5kdc
systemctl status  krb5kdc

systemctl restart  kadmin
systemctl status  kadmin

add reader

kadmin.local -q "add_principal -randkey reader@KAFKA.SECURE"

add writer

kadmin.local -q "add_principal -randkey writer@KAFKA.SECURE"

add admin

kadmin.local -q "add_principal -randkey admin@KAFKA.SECURE"

add kafka

kdmin.local -q "add_principal -randkey kafka/kafka1.mydomain.com@KAFKA.SECURE"

xst

kadmin.local -q "xst -kt /app/manager/kerberos/reader.user.keytab reader@KAFKA.SECURE"
kadmin.local -q "xst -kt /app/manager/kerberos/writer.user.keytab writer@KAFKA.SECURE"
kadmin.local -q "xst -kt /app/manager/kerberos/admin.user.keytab admin@KAFKA.SECURE"
kadmin.local -q "xst -kt /app/manager/kerberos/kafka.service.keytab kafka/kafka1.mydomain.com@KAFKA.SECURE"

Setup kerberos client

kinit
bash: kinit: command not found

yum -y install krb5-workstation

kinit -kt /app/manager/kerberos/admin.user.keytab admin
klist

klist -kt /app/manager/kerberos/kafka.service.keytab
klist

kinit -kt /app/manager/kerberos/kafka.service.keytab kafka/kafka1.mydomain.com
klist

setup kafka broker

listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093,SASL://0.0.0.0:9094
adviertised.listeners=PLAINTEXT://kafka1.mydomain.com:9092,SSL://kafka1.mydomain.com:9093,SASL_SSL://kafka1.mydomain.com:9094

sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka

kafka-server_jaas.conf

KafkaServer {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab="/app/manager/kerberos/kafka.service.keytab"
  principal="kafka/kafka1.mydomain.com@KAFKA.SECUrE"
};

setup kafka service

Environment="KAFKA_OPTS=-Djava.security.auth.login.config=/app/kafka/config/kafka_server_jaas.conf"

systemctl daemon-reload
systemctl restart kafka

setup kafka client for kerberos

vi kafka_client_jaas.conf

KafkaClient {
  com.sun.security.auth.module.Krb5LoginModule requried
  useTicketCache=true;
};

setup kafka_client_kerberos.properties

vi kafka_client_kerberos.properties
security.protocol=SASL_SSL
sasl.kerberos.service.name=kafka
ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks
ssl.truststore.password=ccccdddd

Twitter Facebook LinkedIn

Jaeguk Yun

setup kerberos with kafka

Setup kerberos

add reader

add writer

add admin

add kafka

xst

Setup kerberos client

setup kafka broker

kafka-server_jaas.conf

setup kafka service

setup kafka client for kerberos

setup kafka_client_kerberos.properties

공유하기

댓글남기기

참고