CDK 2.0 and higher Powered By Apache Kafka supports Kerberos authentication, but it is supported only for the new Kafka Producer and Consumer APIs. If you already have a Kerberos server, you can add Kafka to your current configuration. If you do not have a Kerberos server, install it before proceeding. See Enabling Kerberos Authentication Using the Wizard.

If you already have configured the mapping from Kerberos principals to short names using the hadoop.security.auth_to_local HDFS configuration property, configure the same rules for Kafka by adding the sasl.kerberos.principal.to.local.rules property to the Advanced Configuration Snippet for Kafka Broker Advanced Configuration Snippet using Cloudera Manager. Specify the rules as a comma separated list.

To enable Kerberos authentication for Kafka:

  1. From Cloudera Manager, navigate to Kafka > Configurations. Set SSL client authentication to none. Set Inter Broker Protocol to SASL_PLAINTEXT.
  2. Click Save Changes.
  3. Restart the Kafka service.
  4. Make sure that listeners = SASL_PLAINTEXT is present in the Kafka broker logs /var/log/kafka/server.log.
  5. Create a jaas.conf file with the following contents to use with cached Kerberos credentials (you can modify this to use keytab files instead of cached credentials. To generate keytabs, see Step 6: Get or Create a Kerberos Principal for Each User Account).

    If you use kinit first, use this configuration.

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useTicketCache=true;
    
};
    If you use keytab, use this configuration:

    KafkaClient {
    
com.sun.security.auth.module.Krb5LoginModule required
    
useKeyTab=true
    
keyTab="/etc/security/keytabs/kafka_server.keytab"
    
principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
    
};
  6. Create the client.properties file containing the following properties. 
    security.protocol=SASL_PLAINTEXT
    
sasl.kerberos.service.name=kafka
  7. Test with the Kafka console producer and consumer. To obtain a Kerberos ticket-granting ticket (TGT): 
    $ kinit <user>
  8. Verify that your topic exists. (This does not use security features, but it is a best practice.) 
    $ kafka-topics --list --zookeeper <zkhost>:2181
  9. Verify that the jaas.conf file is used by setting the environment. 
    $ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/user/jaas.conf"
  10. Run a Kafka console producer. 
    $ kafka-console-producer --broker-list <anybroker>:9092 --topic test1
    
--producer.config client.properties
  11. Run a Kafka console consumer. 
    $ kafka-console-consumer --new-consumer --topic test1 --from-beginning
    
--bootstrap-server <anybroker>:9092 --consumer.config client.properties

kafka Enabling Kerberos Authentication的更多相关文章

  1. flume集成kafka(kafka开启kerberos)配置

    根据flume官网:当kafka涉及kerberos认证: 涉及两点配置,如下: 配置一:见下实例中红色部分 配置conf实例: [root@gz237-107 conf]# cat flume_sl ...

  2. FIM 2010: Kerberos Authentication Setup

    The goal of this article is to provide some background information regarding the Kerberos related co ...

  3. Problem of Creating Topics in Kafka with Kerberos

    Hi, After enabled Kerberos using Ambari, I got problem creating topics in Kafka using the kafka-topi ...

  4. Step by Step Recipe for Securing Kafka with Kerberos

    Short Description: Step by Step Recipe for Securing Kafka with Kerberos. Article I found it is a lit ...

  5. hiveserver2 with kerberos authentication

    Kerberos协议: Kerberos协议主要用于计算机网络的身份鉴别(Authentication), 其特点是用户只需输入一次身份验证信息就可以凭借此验证获得的票据(ticket-grantin ...

  6. 进行Spark,Kafka针对Kerberos相关配置

    1. 提交任务的命令 spark-submit \--class <classname> \--master yarn \--deploy-mode client \--executor- ...

  7. Kafka集成Kerberos之后如何使用生产者消费者命令

    1.生产者1.1.准备jaas.conf并添加到环境变量(使用以下方式的其中一种)1.1.1.使用Kinit方式前提是手动kinit 配置内容为: KafkaClient { com.sun.secu ...

  8. kafka实战kerberos

    more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log a ...

  9. kafka 配置kerberos校验以及开启acl实践

    转载请注明原创地址:http://www.cnblogs.com/dongxiao-yang/p/7131626.html kafka从0.9版本以后引入了集群安全机制,由于最近需要新搭建一套kafk ...

随机推荐

  1. go安装配置

    https://www.cnblogs.com/wt645631686/p/8124626.html Win10下安装Go开发环境   关于Go语言有多么值得学习,这里就不做介绍了,既然看了这篇文章, ...

  2. JMX——以可视化形式管理与监控正在运行中的Java程序

    简单理解: MBean:管理的最小单元,一个MBean就是一个可以被监控的JavaBean. MBeanServer:一个池子,各个MBean都会注册到该池子中,并且该池子提供一系列的管理.监控API ...

  3. USB设备驱动程序1

    目的:USB鼠标用作按键,左键相当于字母L,右键相当于字母S,中键相当于Enter.如何来实现?用到输入子系统:1)分配input_dev2)设置3)注册4)硬件相关操作对于USB鼠标来说,硬件操作应 ...

  4. Alibaba Cloud SDK for Java,知识点

    资料 网址 Alibaba Cloud SDK for Java https://help.aliyun.com/document_detail/52740.html?spm=a2c4g.111742 ...

  5. JavaScript 实用工具库 : lodashjs

    首页地址:https://www.lodashjs.com/

  6. JS中把其他类型转换成字符串的三种方法

    1.toString()方法 toString()方法返回的是相应值的字符串表现 数值.布尔值.对象和字符串值都有toString()方法,但是null和undefined值没有这个方法 例子: va ...

  7. RHCE试题解析

    环境准备 yum-config-manager --add-repo=ADDREPO vim /etc/yum.conf gpgcheck=0(1=on,0=off)   增加指定repo源,关闭签名 ...

  8. Python面向对象 | 双下方法

    定义:双下方法是特殊方法,他是解释器提供的.由双下划线+方法名+双下划线 .它具有特殊意义的方法,双下方法主要是python源码程序员使用的,我们在开发中尽量不要使用双下方法,但是深入研究双下方法,更 ...

  9. NOIP2019翻车前计划以及日记

    目前只有日记和草拟计划(Sua机洗点~),等停课后会实施计划,试行期为一天. 根据试行期的学习效果制定计划. update 1:试行期结束,完全可以按计划来. update 2:计划暂时变更,以适应我 ...

  10. 【LG5444】[APIO2019]奇怪装置

    [LG5444][APIO2019]奇怪装置 题面 洛谷 题目大意: 给定\(A,B\),对于\(\forall t\in \mathbb N\),有二元组\((x,y)=((t+\lfloor\fr ...