CDK 2.0 and higher Powered By Apache Kafka supports Kerberos authentication, but it is supported only for the new Kafka Producer and Consumer APIs. If you already have a Kerberos server, you can add Kafka to your current configuration. If you do not have a Kerberos server, install it before proceeding. See Enabling Kerberos Authentication Using the Wizard.

If you already have configured the mapping from Kerberos principals to short names using the hadoop.security.auth_to_local HDFS configuration property, configure the same rules for Kafka by adding the sasl.kerberos.principal.to.local.rules property to the Advanced Configuration Snippet for Kafka Broker Advanced Configuration Snippet using Cloudera Manager. Specify the rules as a comma separated list.

To enable Kerberos authentication for Kafka:

  1. From Cloudera Manager, navigate to Kafka > Configurations. Set SSL client authentication to none. Set Inter Broker Protocol to SASL_PLAINTEXT.
  2. Click Save Changes.
  3. Restart the Kafka service.
  4. Make sure that listeners = SASL_PLAINTEXT is present in the Kafka broker logs /var/log/kafka/server.log.
  5. Create a jaas.conf file with the following contents to use with cached Kerberos credentials (you can modify this to use keytab files instead of cached credentials. To generate keytabs, see Step 6: Get or Create a Kerberos Principal for Each User Account).

    If you use kinit first, use this configuration.

    KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true;
    };
    If you use keytab, use this configuration:

    KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/security/keytabs/kafka_server.keytab"
    principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
    };
  6. Create the client.properties file containing the following properties.
    security.protocol=SASL_PLAINTEXT
    sasl.kerberos.service.name=kafka
  7. Test with the Kafka console producer and consumer. To obtain a Kerberos ticket-granting ticket (TGT):
    $ kinit <user>
  8. Verify that your topic exists. (This does not use security features, but it is a best practice.)
    $ kafka-topics --list --zookeeper <zkhost>:2181
  9. Verify that the jaas.conf file is used by setting the environment.
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/user/jaas.conf"
  10. Run a Kafka console producer.
    $ kafka-console-producer --broker-list <anybroker>:9092 --topic test1
    --producer.config client.properties
  11. Run a Kafka console consumer.
    $ kafka-console-consumer --new-consumer --topic test1 --from-beginning
    --bootstrap-server <anybroker>:9092 --consumer.config client.properties

kafka Enabling Kerberos Authentication的更多相关文章

  1. flume集成kafka(kafka开启kerberos)配置

    根据flume官网:当kafka涉及kerberos认证: 涉及两点配置,如下: 配置一:见下实例中红色部分 配置conf实例: [root@gz237-107 conf]# cat flume_sl ...

  2. FIM 2010: Kerberos Authentication Setup

    The goal of this article is to provide some background information regarding the Kerberos related co ...

  3. Problem of Creating Topics in Kafka with Kerberos

    Hi, After enabled Kerberos using Ambari, I got problem creating topics in Kafka using the kafka-topi ...

  4. Step by Step Recipe for Securing Kafka with Kerberos

    Short Description: Step by Step Recipe for Securing Kafka with Kerberos. Article I found it is a lit ...

  5. hiveserver2 with kerberos authentication

    Kerberos协议: Kerberos协议主要用于计算机网络的身份鉴别(Authentication), 其特点是用户只需输入一次身份验证信息就可以凭借此验证获得的票据(ticket-grantin ...

  6. 进行Spark,Kafka针对Kerberos相关配置

    1. 提交任务的命令 spark-submit \--class <classname> \--master yarn \--deploy-mode client \--executor- ...

  7. Kafka集成Kerberos之后如何使用生产者消费者命令

    1.生产者1.1.准备jaas.conf并添加到环境变量(使用以下方式的其中一种)1.1.1.使用Kinit方式前提是手动kinit 配置内容为: KafkaClient { com.sun.secu ...

  8. kafka实战kerberos

    more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log a ...

  9. kafka 配置kerberos校验以及开启acl实践

    转载请注明原创地址:http://www.cnblogs.com/dongxiao-yang/p/7131626.html kafka从0.9版本以后引入了集群安全机制,由于最近需要新搭建一套kafk ...

随机推荐

  1. poi坑点(springboot)

    工作上需要写了一个将数据库数据生成excel表的接口,在此过程中遇到了一些坑点,现在此纪录 PS:一部分可能是因为我没用明白 1. 样式问题 自动调整尽量不要使用,部分列留白过多,空列列宽过窄,可能是 ...

  2. Nginx Rewrite相关功能-rewrite指令

    Nginx Rewrite相关功能-rewrite指令 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任.

  3. Nginx 核心配置-检测文件是否存在

    Nginx 核心配置-检测文件是否存在 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. try_files会按顺序检查文件是否存在,返回第一个找到的文件或文件夹(结尾加斜线表示为文件 ...

  4. 【JavaScript】JavaScript基本语法&知识点

    JavaScript: 是脚本语言:是一种解释性的语言(不需要编译) 作用: 让页面有具有动态效果 组成部分: ECMAScipt(核心),包含基本语法.变量.关键字.保留字.数据类型.语句.函数等 ...

  5. AXIOS 的请求

    AXIOS 本质上等同于json 传值 1.引用 //引入axios import Axios from 'axios' //将axios挂载到 Vue原型上 Vue.prototype.$https ...

  6. django -- ORM查询

    前戏 在我们之前操作ORM中,你也许是启动Django项目,通过地址访问固定的函数,或者在pycharm里的python console里执行,第一种比较麻烦,而且每次都要启动项目,写路由,第二种虽然 ...

  7. 论OIer的同构

    定义一个输入集,指这样一个集合:由任意存在于物理世界的OI题目以及做这个题的时间与身体状态等各种元素组成的n元组组成的集合 OIer被定义为一个二元组:<"结果集",&quo ...

  8. mysql(七)查询基本语法

    连接 外连接 如表-------------------------------------------------table1 | table2 |------------------------- ...

  9. Linux系统查看是32位还是64位

    uname -a 如果是64位机器,会输出x86_64

  10. c# winform richtextbox控制每行颜色 + 滚动条始终滚动到最底部

    /// <summary> /// 输出 /// </summary> /// <param name="content"></param ...