kafka with kerberos实例

There are some points when test follow http://www.cnblogs.com/dongxiao-yang/p/7131626.html:
 

When setup kafka broker, you need to more:

1. create configuration file krb5.conf(the ip below is KDC)

[libdefaults]
    default_realm = LINKTIME.CLOUD

[realms]
    LINKTIME.CLOUD = {
        kdc = 192.168.206.119:8800
        admin_server = 192.168.206.109:7490
    }

2.   update PLAINTEXT to SASL_PLAINTEXT in server.properties 

listeners=SASL_PLAINTEXT://__CONTAINER_IP__:9092
advertised.listeners=SASL_PLAINTEXT://__KAFKA_VIP_HOST__:9092

usage of command-line for kafka-console-producer/kafka-console-consumer/...

1. create configuration file krb5.conf(the ip below is KDC) at /etc

[libdefaults]
    default_realm = LINKTIME.CLOUD

[realms]
    LINKTIME.CLOUD = {
        kdc = 192.168.206.119:8800
        admin_server = 192.168.206.109:7490
    }

2.  generate keytab file

kadmin.local -q "addprinc -pw 123456 [email protected]" 
ktutil  \enter
addent -password -p [email protected] -k 1 -e aes256-cts-hmac-sha1-96    \enter
write_kt kafka-client.keytab

3. kinit kafka-client.keytab

kinit [email protected] -l "1000d 0h 0m 0s" -k -t /root/kafka-client.keytab

4. create kafka_client_jaas.conf

KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true;
};


// If zookeeper open kerberos authentication, the follow need to add here
// Zookeeper client authentication
Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab="/root/kafka-client.keytab"
  principal="[email protected]";
};

5. setup JVM parameter of JAAS configuration and krb5

扫描二维码关注公众号，回复： 23199 查看本文章

export KAFKA_OPTS='-Djava.security.auth.login.config=/root/kafka_client_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf'

6. create client.properties

security.protocol=SASL_PLAINTEXT
sasl.kerberos.service.name=kafka
sasl.mechanism=GSSAPI

7. command with client.properties

bin/kafka-consumer-groups.sh --bootstrap-server kafkahost1:9092 --list --command-config client.properties
bin/kafka-console-producer.sh --broker-list kafkahost1:9092 --topic dxTT --producer.config client.properties
bin/kafka-console-consumer.sh --bootstrap-server kafkahost1:9092 --topic dxTT --consumer.config client.properties

更多参考：

http://kafka.apache.org/documentation/#security_jaas_broker
https://docs.confluent.io/3.2.1/kafka/sasl.html#authentication-using-sasl-kerberos
http://www.cnblogs.com/xiaodf/p/5968086.html
http://www.cnblogs.com/dongxiao-yang/p/7131626.html