Step by Step Recipe for Securing Kafka with Kerberos
Short Description:
Step by Step Recipe for Securing Kafka with Kerberos.
Article
I found it is a little tricky to get started with a Kerberos enabled Kafka cluster. I created this step by step recipe for securing Kafka with Kerberos, sending and receiving data on console. This is tested on HDP2.5.0 and Ambari 2.4.1.
- Enabled Kerberos using the Ambari Kerberos setup wizard under Admin -- Kerberos menu.
- On Ambari Kafka Config UI, change "listeners" property to "PLAINTEXTSASL://localhost:6667".
- Restart Kafka as requested by Ambari.
- Create a test topic in Kafka. Must use the kafka service user to do this.
$ cd /usr/hdp/current/kafka-broker/bin
$ sudo su kafka
$ kinit -k -t /etc/security/keytabs/kafka.service.keytab kafka/ip----.ap-northeast-.compute.internal $ ./kafka-topics.sh --zookeeper ip----.ap-northeast-.compute.internal: --create --topic foo --partitions --replication-factor Created topic "bar".
- Grant permission to user. This can be done using Kafka native ACL mechanism or Apache Ranger. In the example, we use Kafka ACL. User bob needs to be existing in KDC.
# Grant user bob as producer on topic foo
./kafka-acls.sh --authorizer-properties zookeeper.connect=ip----.ap-northeast-.compute.internal: \
--add --allow-principal User:bob \
--producer --topic foo Adding ACLs for resource `Topic:foo`:
User:bob has Allow permission for operations: Describe from hosts: *
User:bob has Allow permission for operations: Write from hosts: * Adding ACLs for resource `Cluster:kafka-cluster`:
User:bob has Allow permission for operations: Create from hosts: * Current ACLs for resource `Topic:foo`:
User:bob has Allow permission for operations: Describe from hosts: *
User:bob has Allow permission for operations: Write from hosts: * # Grant user bob as consumer
./kafka-acls.sh --authorizer-properties zookeeper.connect=ip----.ap-northeast-.compute.internal: \
--add --allow-principal User:bob \
--consumer --topic foo --group * #--group后等跟等号,如--group=*。按照上面写法,只是赋给名称为connect-distributed.sh的groupid。因为kafka/bin下面第一个脚本是connect-distributed.shAdding ACLs for resource `Topic:foo`:
User:bob has Allow permission for operations: Read from hosts: *
User:bob has Allow permission for operations: Describe from hosts: * Adding ACLs for resource `Group:connect-distributed.sh`:
User:bob has Allow permission for operations: Read from hosts: * Current ACLs for resource `Topic:foo`:
User:bob has Allow permission for operations: Read from hosts: *
User:bob has Allow permission for operations: Describe from hosts: *
User:bob has Allow permission for operations: Write from hosts: * Current ACLs for resource `Group:connect-distributed.sh`:
User:bob has Allow permission for operations: Read from hosts: *
- Confirm the above works using the kafka console producer and consumer scripts.
# Switch to bob user and log in to KDC.
$ kinit bob # Start console producer
$ ./kafka-console-producer.sh --broker-list ip----.ap-northeast-.compute.internal: --topic foo --security-protocol PLAINTEXTSASL # On another terminal, start console consumer
./kafka-console-consumer.sh --zookeeper ip----.ap-northeast-.compute.internal: --topic foo --security-protocol PLAINTEXTSASL {metadata.broker.list=ip----.ap-northeast-.compute.internal:, request.timeout.ms=, client.id=console-consumer-, security.protocol=PLAINTEXTSASL} # Type something on the producer terminal, it should appears on the console terminal immediately.
Step by Step Recipe for Securing Kafka with Kerberos的更多相关文章
- Problem of Creating Topics in Kafka with Kerberos
Hi, After enabled Kerberos using Ambari, I got problem creating topics in Kafka using the kafka-topi ...
- Step by step Dynamics CRM 2011升级到Dynamics CRM 2013
原创地址:http://www.cnblogs.com/jfzhu/p/4018153.html 转载请注明出处 (一)检查Customizations 从2011升级到2013有一些legacy f ...
- Step by Step 创建一个新的Dynamics CRM Organization
原创地址:http://www.cnblogs.com/jfzhu/p/4012833.html 转载请注明出处 前面演示过如何安装Dynamics CRM 2013,参见<Step by st ...
- Step by step Install a Local Report Server and Remote Report Server Database
原创地址:http://www.cnblogs.com/jfzhu/p/4012097.html 转载请注明出处 前面的文章<Step by step SQL Server 2012的安装 &g ...
- Step by step Dynamics CRM 2013安装
原创地址:http://www.cnblogs.com/jfzhu/p/4008391.html 转载请注明出处 SQL Server可以与CRM装在同一台计算机上,也可安装在不同的计算机上.演示 ...
- Step by step 活动目录中添加一个子域
原创地址:http://www.cnblogs.com/jfzhu/p/4006545.html 转载请注明出处 前面介绍过如何创建一个域,下面再介绍一下如何在该父域中添加一个子域. 活动目录中的森林 ...
- SQL Server 维护计划实现数据库备份(Step by Step)(转)
SQL Server 维护计划实现数据库备份(Step by Step) 一.前言 SQL Server 备份和还原全攻略,里面包括了通过SSMS操作还原各种备份文件的图形指导,SQL Server ...
- 转:eclipse以及step into step over step return的区别
首先来讲一下step into step over step return的区别: step into就是单步执行,遇到子函数就进入并且继续单步执行:(F5) step over是在单步执行时,在函数 ...
- [转]Bootstrap 3.0.0 with ASP.NET Web Forms – Step by Step – Without NuGet Package
本文转自:http://www.mytecbits.com/microsoft/dot-net/bootstrap-3-0-0-with-asp-net-web-forms In my earlier ...
随机推荐
- ipv6地址配置实验(GNS3/ENSP)
实验拓扑: IPV6地址配置如图所示, 配置ipv6指令(以R2为例,R1类似): int e1/2 R2(config-if)#ipv6 address 2001:db08:acad:1::2/64 ...
- LOJ #6050. 「雅礼集训 2017 Day11」TRI
完全不会的数学神题,正解留着以后填坑 将一个口胡的部分分做法,我们考虑计算格点多边形(包括三角形)面积的皮克公式: \[S=a+\frac{1}{2}b-1\text({a为图形内部节点个数,b为边界 ...
- PuppeteerSharp: 更友好的 Headless Chrome C# API
前端就有了对 headless 浏览器的需求,最多的应用场景有两个 UI 自动化测试:摆脱手工浏览点击页面确认功能模式 爬虫:解决页面内容异步加载等问题 也就有了很多杰出的实现,前端经常使用的莫过于 ...
- PHP全栈学习笔记17
phpmyadmin教程 管理页进入phpmyadmin 打开C:\wamp\apps\phpmyadmin3.5.1下的配置文件:config.inc 修改密码 创建与修改数据库.数据表 字段类型 ...
- 使用 Vue 开发 scrollbar 滚动条组件
Vue 应该说是很火的一款前端库了,和 React 一样的高热度,今天就来用它写一个轻量的滚动条组件: 知识储备:要开发滚动条组件,需要知道知识点是如何计算滚动条的大小和位置,还有一个问题是如何监听容 ...
- win10下 anaconda 环境下python2和python3版本转换
在cmd的环境下,输入以下命令安装Python2.7的环境 conda create -n python27 python=2.7 anaconda 上面的代码创建了一个名为python27的pyth ...
- kubernetes中的Pause容器如何理解?
前几篇文章都是讲的Kubernetes集群和相关组件的部署,但是部署只是入门的第一步,得理解其中的一些知识才行.今天给大家分享下Kubernets的pause容器的作用. Pause容器 全称infr ...
- 【视频】Entity Framework Core 2.* 入门教程
视频专辑在B站上:https://www.bilibili.com/video/av34462368/ 内容暂时如下,还在更新中: 1. 简介 & 创建Model,生成数据库 2. 在ASP. ...
- TabBottomFragmentLayout【自定义底部选项卡区域(搭配Fragment)】
版权声明:本文为HaiyuKing原创文章,转载请注明出处! 前言 自定义底部选项卡布局LinearLayout类,然后配合Fragment,实现切换Fragment功能. 缺点: 1.底部选项卡区域 ...
- Spring Boot 2.x 系列教程:WebFlux REST API 全局异常处理 Error Handling
摘要: 原创出处 https://www.bysocket.com 「公众号:泥瓦匠BYSocket 」欢迎关注和转载,保留摘要,谢谢! 本文内容 为什么要全局异常处理? WebFlux REST 全 ...