### kafka 集群安全认证配置本文主要介绍下 kafka 0.10.0 版如何实现sasl/plain认证机制及权限控制#### kafka安全机制

1. ### kafka 集群安全认证配置
2. 本文主要介绍下 kafka 0.10.0 版如何实现sasl/plain认证机制及权限控制
3.  
4. #### kafka安全机制
5. kakfa 的安全机制主要分为两部分：
6. - 身份认证（Authentication）： 对客户端的身份进行认证
7. - 权限控制（Authorization）： 对topic级别的权限进行控制
8.  
9. #### kafka 身份认证
10. kafka 目前支持 SSL，SASL(Kerberos)，SASL（PLAIN) 三种认证机制。
11. 这里只讲解最容易实现的SASL（PLAIN）机制，值的注意的是SASL(PLAIN)是通过明文传输用户名和密码的。因此在不安全的网络环境下需要建立在TLS安全层之上。
12.  
13. #### SASL(PLAIN)认证
14. ##### 服务端配置
15. 在 kafka 安装目录下的 config/server.properties 配置如下信息
16. ```bash
17. listeners=SASL_PLAINTEXT://hostname:port
18. security.inter.broker.protocol=SASL_PLAINTEXT
19. sasl.mechanism.inter.broker.protocol=PLAIN
20. sasl.enabled.mechanisms=PLAIN
21. authorizer.class.name = kafka.security.auth.SimpleAclAuthorizer
22. super.users=User:admin
23. ```
24. 还需要配置一个名为 *==kafka_server_jaas.conf==* 的配置文件，将配置文件放在**conf**目录下。
25. ```
26. KafkaServer {
27. org.apache.kafka.common.security.plain.PlainLoginModule required
28. username="admin"
29. password="admin-secret"
30. user_admin="admin-secret"
31. user_alice="alice-secret";
32. };
33. ```
34. 这里我们配置了两个用户： **admin** 和 **alice** 它们的密码分别为**admin-secret** 和 **alice-secret**。
35. 最后我们在启动 kafka broker 之前导出一个环境变量
36. ```bash
37. export KAFKA_OPTS='-Djava.security.auth.login.config=conf/kafka_server_jaas.conf'
38. ```
39. 该环境变量在脚本 kafka-run-class.sh 中被传递到broker的jvm中。
40. 然后执行 broker 启动的脚本即可。
41.  
42. ##### 客户端的配置
43. 首先要在客户端配置 ==*kafka_client_jaas.conf*== 文件
44. ```
45. KafkaClient {
46. org.apache.kafka.common.security.plain.PlainLoginModule required
47. username="alice"
48. password="alice";
49. };
50. ```
51. 然后在客户端的配置中添加如下两项
52. ```bash
53. security.protocol=SASL_PLAINTEXT
54. sasl.mechanis=PLAIN
55. ```
56. 配置好后将 kafka_client_jaas.conf 文件传入客户端的jvm中
57. ```bash
58. -Djava.security.auth.login.config=kafka_client_jaas.conf
59. ```
60. 这样客户端即可运行。如果用户名或密码错误，则客户端不能正常运行，但是不会有任何提示，这个以后应该会改进。
61.  
62. #### kafka 权限的配置
63. 权限的内容
64.  
65. | 权限 | 说明 |
66. |-----|------|
67. | READ|读取topic|
68. |WRITE|写入topic|
69. |DELETE|删除topic|
70. |CREATE|创建topic|
71. |ALTER|修改topic|
72. |DESCRIBE|获取topic信息|
73.  
74. kafka提供命令行工具来添加和修改acl。该命令行工具位于 kafka 目录 ==bin/kafka-acls.sh==
75.  
76.  
77. |Option |Description | Default |Option type|
78. |-------|------------|----------|-----------|
79. |–add |Indicates to the script that user is trying to add an acl.|| Action
80. |–remove|Indicates to the script that user is trying to remove an acl.|| Action
81. |–list |Indicates to the script that user is trying to list acts. ||Action
82. |–authorizer|Fully qualified class name of the authorizer. |kafka.security.auth.SimpleAclAuthorizer| Configuration
83. |–authorizer-properties|key=val pairs that will be passed to authorizer for initialization. For the default authorizer the example values are: zookeeper.connect=localhost:2181 ||Configuration
84. |–cluster |Specifies cluster as resource. ||Resource
85. |–topic [topic-name] |Specifies the topic as resource. ||Resource
86. |–group [group-name] |Specifies the consumer-group as resource. ||Resource
87. |–allow-principal |Principal is in PrincipalType:name format that will be added to ACL with Allow permission. You can specify multiple –allow-principal in a single command. ||Principal
88. |–deny-principal |Principal is in PrincipalType:name format that will be added to ACL with Deny permission. You can specify multiple –deny-principal in a single command. ||Principal
89. |–allow-host |IP address from which principals listed in –allow-principal will have access. if –allow-principal is specified defaults to * which translates to “all hosts” ||Host
90. |–deny-host |IP address from which principals listed in –deny-principal will be denied access. if –deny-principal is specified defaults to * which translates to “all hosts” ||Host
91. |–operation |Operation that will be allowed or denied. Valid values are : Read, Write, Create, Delete, Alter, Describe, ClusterAction, All |All |Operation
92. |–producer |Convenience option to add/remove acls for producer role. This will generate acls that allows WRITE, DESCRIBE on topic and CREATE on cluster. ||Convenience
93. |–consumer |Convenience option to add/remove acls for consumer role. This will generate acls that allows READ, DESCRIBE on topic and READ on consumer-group. ||Convenience|
94.  
95. 配置例子：
96. add 操作
97. ```bash
98. # 为用户 alice 在 test（topic）上添加读写的权限
99. bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:alice --operation Read --operation Write --topic test
100. ```
101. list 操作
102. ```bash
103. # 列出 topic 为 test 的所有权限账户
104. bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic test
105. ```
106. remove 操作
107. ```bash
108. # 移除 Alice 在 test(topic) 上的读写权限
109. bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --remove --allow-principal User:Alice --operation Read --operation Write --topic test
110. ```
111. producer 和 consumer 的操作
112. ```bash
113. # producer
114. bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:alice --producer --topic test
115. #consumer
116. bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:alice --consumer --topic test --group test-group
117. ```