Kafka ssl 配置

Kafka SSL配置說明

所有配置主要參考官網文檔。部分openssl操作可以參考：https://blog.csdn.net/bbwangj/article/details/82503675 這篇文章介紹。實際不需要記那麼多。

操作

下載kafka_2.12-2.3.0並解壓

macBook:kafka_2.12-2.3.0 nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0
macBook:kafka_2.12-2.3.0 nobleyd$ ls
LICENSE         NOTICE          bin             config          libs            site-docs
macBook:kafka_2.12-2.3.0 nobleyd$

創建相關目錄

macBook:kafka_2.12-2.3.0 nobleyd$ mkdir ssl
macBook:kafka_2.12-2.3.0 nobleyd$ cd ssl/
macBook:ssl nobleyd$ ls
macBook:ssl nobleyd$ mkdir ca
macBook:ssl nobleyd$ mkdir client
macBook:ssl nobleyd$ mkdir server
macBook:ssl nobleyd$ ls
ca      client  server
macBook:ssl nobleyd$ 

創建CA的key和cer

• 生成CA私鑰（key）

macBook:ssl nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0/ssl
macBook:ssl nobleyd$
macBook:ssl nobleyd$ openssl genrsa -out ca/ca.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
.......................+++
e is 65537 (0x10001)
macBook:ssl nobleyd$
macBook:ssl nobleyd$ cat ca/ca.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvqsYmyrQi26YvFYPpWeOqrqH4c3krPExmseHOGb5QcqkJJpD
IgxSeJ44/1yo0/ROy0L2bRVq6i1Mn/24k4RUiFBZfSZ7DuUSAFvQzUDi796LoJNu
giU0HaqgU8OcBs3znVxOneMbbO7BtRWhBd9Ef1fgIy9/gfFeDYjDoS7+mzGJwxAR
k/zw3Hkn411RejadEhtN+aazHfgnTnm8BDLEDekFI8gCit/jCRjvFpSdDSVIGBPz
8vfg4BHl7d2FE9AH4R5vK1DX0fkJh4z323ghf7/Wi5C+Vp9vXp+HnE/FDRt9++x/
mpgwS726unVQop6Xi2D8zir5nIfEf4Pc4OMWLwIDAQABAoIBAEjjJSPkCRbUL4UH
rTGA1fQEHH/AcqN+DIVrsxBnpO92pKrtYa55YWmEqqtL46oq4ZgoQAXRQy7EJF+g
4VdbJel6Nct202INRYVnk/lyzY3+2AeJdJxB1ptkp6d9xn5/apqEN/V5ZPmOh/RO
kWCqSggYMrGgrbCh8V9hIc/TJDd03nzVqJK4zy8asiLfzRXbQ0kKdVNW8VNxKcwA
ohBO1cT719jPID4GYr1ihptB3O8cfmLMeeQ4tIvV9YgzagSjR63Ut/RYhqGQ6fGL
Zv3lhzDxHNTJNECSDsi8vNZ8Lsd0NTRKoOBoxmPZHB7sCeXKJRfYYd+WDdyqtXsf
/chWc0ECgYEA5NmZNP8oDVjNXOwcX6fTg9biQmjvSwJ5THBimYfZkqNMQIRBx1fR
tiP5s32LvlL0A5/gPMfdagu65KQE7VVHR+CUEQ06FByMpr0EijDdGafX7tjdfDas
s7fTRZYMOTO0dfkGgBBx3+EIVkcV6H2NhtbCHZklpILT4QzqigtmYOECgYEA1Uni
DtynAmUhMvZVrZO5hhgqlR3MW5DJbQoGWwOhSFknN9FpGSaANuQRGdav8rby6PtV
2RDQ0q/QehPqCx51/GQvh2Dm1zmKeURNItg+3tzwvwpSdah+HiNSzAAaG7TptPY4
HG0vKk5orGXNFQKZiuWCrrDWUDLNpbsIKa5riQ8CgYEApCwyS6Gscv68vKeppzm3
dIIoaOnsmMwahqqtIWUiwZ6iajo3EjG/AUKHtKshIBVUdnEwJYpgHd5yYeoEmtot
u7OxpRXvD1R31noNErIBO5F8SB2NrrluZbM/PlFpTXP5RxSyBBdICgretz5hyhqf
+BaCxUcDiSRNqcphS0zoUiECgYEAokSnm6770LKn42HOJVSyXPadzvzwsOkilbZ+
x1enqKdLUwga8Wt9OEWjTQksq3fMrrwowBAvD1t7PKVR9kuib/a4wkJS3YOFemUg
WlYy3tMwxedQfPtHmB4/q7yYIGQvOeHpJpdavtEQibiZolZsAmRCXC1ln3ZHRsNY
nn14irkCgYEAzjQHLE08+p57GgSLnePFyTWgnDQNv0oebFDZZPZvB2f3WgP6cS1/
93gMV9OKYikHAqWxqhfRZeeg5RsNhOE3qGwruBWCn6ulNWUIlaJcvXC+R1AI9PQl
AWoZDKDaPK/ke9jflyOV46vfFUzHiw/UbikXoCrT2YzZ+s+dalfkEcU=
-----END RSA PRIVATE KEY-----
macBook:ssl nobleyd$

• 生成證書籤名請求（csr）

 

macBook:ssl nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0/ssl
macBook:ssl nobleyd$ openssl req -new -key ca/ca.key -out ca/ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
macBook:ssl nobleyd$ cat ca/ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICmzCCAYMCAQAwVjELMAkGA1UEBhMCY24xETAPBgNVBAgMCHNoYW5naGFpMREw
DwYDVQQHDAhzaGFuZ2hhaTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvqsYmyrQi26YvFYP
pWeOqrqH4c3krPExmseHOGb5QcqkJJpDIgxSeJ44/1yo0/ROy0L2bRVq6i1Mn/24
k4RUiFBZfSZ7DuUSAFvQzUDi796LoJNugiU0HaqgU8OcBs3znVxOneMbbO7BtRWh
Bd9Ef1fgIy9/gfFeDYjDoS7+mzGJwxARk/zw3Hkn411RejadEhtN+aazHfgnTnm8
BDLEDekFI8gCit/jCRjvFpSdDSVIGBPz8vfg4BHl7d2FE9AH4R5vK1DX0fkJh4z3
23ghf7/Wi5C+Vp9vXp+HnE/FDRt9++x/mpgwS726unVQop6Xi2D8zir5nIfEf4Pc
4OMWLwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAD+yK2YONGSk86AMgtTNPy/s
cjSjrJF/IFwyyxZ0Z4YPzPCuEL+j39eEsaU2IQ7WCVNQ/25eHaZX+XMaMXyd1BqI
gNkwko94ZeU3FNSfFr7ObLMMRdI2+kcIdqeWqXlkFEgowAM/ZYOrDr2GYgj+KgAr
OvFVrbdncrkG4SBINDtVNm27YUz1aZ2c4ZXl3vr8EYixuUDVKuHc+SuKOuDHydf7
EgS10jqJSFzuriD0oC0NB/XOX77oSPnxs/QWnJKI2QP5ehFDu62pF/hdQIG3rcbH
KA1rvVdNlQ9pTh8m9oZBz+iyI/3DUjKCcdwN4Era69BHXIgSdQcqqRG1tY52PEY=
-----END CERTIFICATE REQUEST-----
macBook:ssl nobleyd$ 

• 自簽名

macBook:ssl nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0/ssl
macBook:ssl nobleyd$
macBook:ssl nobleyd$ openssl x509 -req -in ca/ca.csr -signkey ca/ca.key -out ca/ca.pem
Signature ok
subject=/C=cn/ST=shanghai/L=shanghai/O=Internet Widgits Pty Ltd
Getting Private key
macBook:ssl nobleyd$
macBook:ssl nobleyd$ cat ca/ca.pem
-----BEGIN CERTIFICATE-----
MIIDKDCCAhACCQDIgoDWxjReuzANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJj
bjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTkxMTIzMTE0NjI3WhcNMTkx
MjIzMTE0NjI3WjBWMQswCQYDVQQGEwJjbjERMA8GA1UECAwIc2hhbmdoYWkxETAP
BgNVBAcMCHNoYW5naGFpMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+qxibKtCLbpi8Vg+l
Z46quofhzeSs8TGax4c4ZvlByqQkmkMiDFJ4njj/XKjT9E7LQvZtFWrqLUyf/biT
hFSIUFl9JnsO5RIAW9DNQOLv3ougk26CJTQdqqBTw5wGzfOdXE6d4xts7sG1FaEF
30R/V+AjL3+B8V4NiMOhLv6bMYnDEBGT/PDceSfjXVF6Np0SG035prMd+CdOebwE
MsQN6QUjyAKK3+MJGO8WlJ0NJUgYE/Py9+DgEeXt3YUT0AfhHm8rUNfR+QmHjPfb
eCF/v9aLkL5Wn29en4ecT8UNG3377H+amDBLvbq6dVCinpeLYPzOKvmch8R/g9zg
4xYvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADqqtMoI3cxdQhoMXjs7T9gT00L6
smxZb5+AMbSkF15PgxcOmFqsLVAD/aVOGiQSDWO0epdupMnhTObxsqHXzkPTWQgE
UqmmmeOBQume8ipnliNOqK8qD/DQftdddx1O8g6rtHp/LXR01gDbuMsVLly8dZec
a6QJCFxIj+iqZvjY8kYtRKzSWXECda9Ti1yW0yNWCsGwpbwvnyE3u2SSRGp5bwaK
BMwSTo+KWMYn+BUoW5H7TmN2p54uCFIz8u/gQqkRxadHDVhATmNcdxtH+aQ03uml
yno7kGkX4bJhD8R+SDd04j74mbbansbKOirNOmVbdUt9/UFlpB+HK/6JEmo=
-----END CERTIFICATE-----
macBook:ssl nobleyd$
macBook:ssl nobleyd$ echo "00" > ca/ca.srl

• 如上倆個步驟貌似還可以合併爲: openssl req -new -x509 -key ca/ca.key -out ca.pem （暫不糾結區別）
• 至此，ca/ca.key和ca/ca.pem全部生成ok。

macBook:ssl nobleyd$ openssl pkcs12 -export -clcerts -in ca/ca.pem -inkey ca/ca.key -out ca/ca.p12
Enter Export Password: capswd
Verifying - Enter Export Password: capswd
macBook:ssl nobleyd$ 

 

創建server的key和cer（類似）

 

創建client的key和cer（類似）

 

總結  | 注意仔細看下面腳本，和上邊不是很一樣，部分目錄結構，以及參數選項在後續總結時候修改了下，如上部分無錯誤，只是不是最佳。

如上類似全部省略，下面是一個總結腳本，需要注意的是，有些和上邊不同，主要是使用了x509 v3（即需要指定-extfile ./conf/openssl.cnf -extensions v3_req），其中openssl.cnf可以自行找找，安裝了openssl後默認那個皆可。其次，生成csr時候需要輸入的東西採用參數指定了，即不需要交互式輸入。具體腳本如下。

HOST修改（Client認證Server一般會存在HostName Validation，因此測試需要改hosts實現下效果）

• 這個步驟也是必須的，在後續最終使用的時候需要能夠匹配hostname才能成功訪問kafka。

• # 修改host文件設置
  127.0.0.1 kafka.local

CA腳本

# init
rm -rf ca && mkdir -p ca
echo '00' > ca/ca.srl

# 1 生成私鑰
openssl genrsa -out ca/ca.key 2048

# 2 生成證書籤名請求文件
openssl req -new -key ca/ca.key -subj /C=CN/ST=ShangHai/L=ShangHai/O=DefaultOrg/OU=DefaultDept/CN=CaName -out ca/ca.csr

# 3 生成CA簽名的證書（.pem .der）
openssl x509 -extfile ./conf/openssl.cnf -extensions v3_req -signkey ca/ca.key -days 36500 -req -in ca/ca.csr -out ca/ca.pem
openssl x509 -in ca/ca.pem -inform PEM -outform DER -out ca/ca.der

# 4 導入密鑰庫（.p12 .jks）
openssl pkcs12 -export -in ca/ca.pem -inkey ca/ca.key -name ca -out ca/ca.keystore.p12 -passout pass:pkcs12_ks_pswd
keytool -importkeystore \
        -srcstoretype pkcs12 \
        -srckeystore ca/ca.keystore.p12 \
        -srcstorepass pkcs12_ks_pswd \
        -deststoretype jks \
        -destkeystore ca/ca.keystore.jks \
        -deststorepass jks_ks_pswd \
        -srcalias ca \
        -destalias ca \
        -srckeypass pkcs12_ks_pswd \
        -destkeypass jks_k_pswd

# 5 查看證書文件
openssl x509 -in ca/ca.pem -text -noout
openssl x509 -in ca/ca.der -inform der -text -noout

Server腳本（默認使用了ServerName作爲Server證書的CN字段，同時配合後續SSL配置ServerName作爲超級用戶，實現Broker之間的SSL連接）

# init
rm -rf server && mkdir -p server

# 1 生成私鑰
openssl genrsa -out server/server.key 2048

# 2 生成證書籤名請求文件
openssl req -new -key server/server.key -subj /C=CN/ST=ShangHai/L=ShangHai/O=DefaultOrg/OU=DefaultDept/CN=ServerName -out server/server.csr

# 3 生成CA簽名的證書（.pem .der）
openssl x509 -extfile ./conf/openssl.cnf -extensions v3_req -CA ca/ca.pem -CAkey ca/ca.key -days 36500 -req -in server/server.csr -out server/server.pem
openssl x509 -in server/server.pem -inform PEM -outform DER -out server/server.der

# 4 導入密鑰庫（.p12 .jks）
openssl pkcs12 -export -in server/server.pem -inkey server/server.key -name server -out server/server.keystore.p12 -passout pass:pkcs12_ks_pswd
keytool -importkeystore \
        -srcstoretype pkcs12 \
        -srckeystore server/server.keystore.p12 \
        -srcstorepass pkcs12_ks_pswd \
        -deststoretype jks \
        -destkeystore server/server.keystore.jks \
        -deststorepass jks_ks_pswd \
        -srcalias server \
        -destalias server \
        -srckeypass pkcs12_ks_pswd \
        -destkeypass jks_k_pswd

# 5 查看證書文件
openssl x509 -in server/server.pem -text -noout
openssl x509 -in server/server.der -inform der -text -noout

# 6 信任 CA server
keytool -import -noprompt -file ca/ca.pem -keystore server/server.truststore.jks -storepass jks_ts_pswd -alias ca
keytool -importkeystore \
        -srcstoretype jks \
        -srckeystore server/server.truststore.jks \
        -srcstorepass jks_ts_pswd \
        -deststoretype pkcs12 \
        -destkeystore server/server.truststore.p12 \
        -deststorepass pkcs12_ts_pswd

Client腳本（可全文替換UserName爲其他名稱，對應證書中CN字段）

# init
rm -rf users/UserName && mkdir -p users/UserName

# 1 生成私鑰
openssl genrsa -out users/UserName/UserName.key 2048

# 2 生成證書籤名請求文件
openssl req -new -key users/UserName/UserName.key -subj /C=CN/ST=ShangHai/L=ShangHai/O=DefaultOrg/OU=DefaultDept/CN=UserName -out users/UserName/UserName.csr

# 3 生成CA簽名的證書（.pem .der）
openssl x509 -extfile ./conf/openssl.cnf -extensions v3_req -CA ca/ca.pem -CAkey ca/ca.key -days 36500 -req -in users/UserName/UserName.csr -out users/UserName/UserName.pem
openssl x509 -in users/UserName/UserName.pem -inform PEM -outform DER -out users/UserName/UserName.der

# 4 導入密鑰庫（.p12 .jks）
openssl pkcs12 -export -in users/UserName/UserName.pem -inkey users/UserName/UserName.key -name UserName -out users/UserName/UserName.keystore.p12 -passout pass:pkcs12_ks_pswd
keytool -importkeystore \
        -srcstoretype pkcs12 \
        -srckeystore users/UserName/UserName.keystore.p12 \
        -srcstorepass pkcs12_ks_pswd \
        -deststoretype jks \
        -destkeystore users/UserName/UserName.keystore.jks \
        -deststorepass jks_ks_pswd \
        -srcalias UserName \
        -destalias UserName \
        -srckeypass pkcs12_ks_pswd \
        -destkeypass jks_k_pswd

# 5 查看證書文件
openssl x509 -in users/UserName/UserName.pem -text -noout
openssl x509 -in users/UserName/UserName.der -inform der -text -noout

# 6 信任 CA UserName
keytool -import -noprompt -file ca/ca.pem -keystore users/UserName/UserName.truststore.jks -storepass jks_ts_pswd -alias ca
keytool -importkeystore \
        -srcstoretype jks \
        -srckeystore users/UserName/UserName.truststore.jks \
        -srcstorepass jks_ts_pswd \
        -deststoretype pkcs12 \
        -destkeystore users/UserName/UserName.truststore.p12 \
        -deststorepass pkcs12_ts_pswd

Kafka 配置

• 首先，明確下上邊的配置和官網文檔不是完全一致。官網在truststore中導入了ca的證書（和我們一致）；在keystore中導入了自身證書以及ca的證書（我們僅導入ca的證書）。這個無影響。
• 配置kafka自身部分

# id 隨機一個值即可，多個broker必須不同，我們測試僅一個broker。
broker.id=0

# 配置監聽地址
listeners=PLAINTEXT://:9092

# kafka數據存放位置
log.dirs=/Applications/softwares/kafka_2.12-2.3.0/kafka-logs

• SSL配置片段1

# If SSL is not enabled for inter-broker communication (see below for how to enable it), both PLAINTEXT and SSL ports will be necessary.
# listeners=PLAINTEXT://host.name:port,SSL://host.name:port

# 以上是官網說明，翻譯下爲：如果未開啓broker之間的ssl，則必須同時提供PLAINTEXT監聽地址。
# listeners=PLAINTEXT://kafka.local:9092,SSL://kafka.local:9093
# 我們採用純SSL配置，否則端口泄漏的話，SSL形如虛設。
listeners=SSL://kafka.local:9093

# 可通過如下方式開啓broker之間的ssl
security.inter.broker.protocol=SSL

• SSL配置片段2

# 配置 SSL 。
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.secure.random.implementation=SHA1PRNG

# 配置 keystore 。
ssl.keystore.type=JKS
ssl.keystore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/server/server.keystore.jks
ssl.keystore.password=jks_ks_pswd
ssl.key.password=jks_k_pswd

# 配置 truststore 。
ssl.truststore.type=JKS
ssl.truststore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/server/server.truststore.jks
ssl.truststore.password=jks_ts_pswd

# 配置客戶端驗證
# ssl.client.auth=none/requested/required
ssl.client.auth=required

# 配置客戶端權限/ACL
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

# 配置使用CN字段作爲User的壓縮名稱
ssl.principal.mapping.rules=RULE:^CN=([^,]*?),.*$/$1/

# 配置超級用戶（注意Broker之間存在SSL連接需要超級用戶ServerName；管理需要超級用戶KafkaAdmin）
super.users=User:ServerName;User:KafkaAdmin

• 啓動單節點Kafka

# 由於是測試，我們就不單獨配置zk了，直接使用kafka默認的zk即可。
# 修改zk配置（/Applications/softwares/kafka_2.12-2.3.0/config/zookeeper.properties）如下：

dataDir=/Applications/softwares/kafka_2.12-2.3.0/zk_data

# 啓動zk
./bin/zookeeper-server-start.sh -daemon ./config/zookeeper.properties

# 對應的停止zk命令如下
./bin/zookeeper-server-stop.sh


# 啓動kafka
./bin/kafka-server-start.sh -daemon ./config/server.properties 

# 對應的停止kafka命令如下
./bin/kafka-server-stop.sh

• 快速測試

• openssl s_client -debug -connect localhost:9093 -tls1

• 消息生產和消費測試。
• 替換client腳本中UserName爲KafkaAdmin並生成KafkaAdmin的相關證書，然後配置如下文件。

# 配置 config/kafka-admin-ssl.properties 。
# 1 新增如下配置內容
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
security.protocol=SSL

# 2 配置 truststore 。
ssl.truststore.type=JKS
ssl.truststore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/KafkaAdmin/KafkaAdmin.truststore.jks
ssl.truststore.password=jks_ts_pswd

# 3 配置 keystore 。
ssl.keystore.type=JKS
ssl.keystore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/KafkaAdmin/KafkaAdmin.keystore.jks
ssl.keystore.password=jks_ks_pswd
ssl.key.password=jks_k_pswd

• 使用如下命令分別啓動生成和消費者。注意分別使用倆個終端（非後臺運行）。

• # 啓動生成者
  ./bin/kafka-console-producer.sh --broker-list kafka.local:9093 --topic test --producer.config ./config/kafka-admin-ssl.properties

• # 啓動消費者
  ./bin/kafka-console-consumer.sh --bootstrap-server kafka.local:9093 --topic test --consumer.config ./config/kafka-admin-ssl.properties

• 注意，以上2命令只要不報錯即是啓動成功。直接在生產者進程標準輸入中輸入消息，回車即可發送。在消費者進程的終端則則會陸續看打印出收到的消息。

Authorization & ACL

• 在如上的總結配置中實際已經完成了Authorization的全部配置，甚至包括部分ACL的配置，比如超級用戶。下面我們會簡單嘗試幾個具體的ACL管理命令的使用。
• 新增Bob的證書配置

# 配置 config/bob-ssl.properties 。
# 1 新增如下配置內容
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
security.protocol=SSL

# 2 配置 truststore 。
ssl.truststore.type=JKS
ssl.truststore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/Bob/Bob.truststore.jks
ssl.truststore.password=jks_ts_pswd

# 3 配置 keystore 。
ssl.keystore.type=JKS
ssl.keystore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/Bob/Bob.keystore.jks
ssl.keystore.password=jks_ks_pswd
ssl.key.password=jks_k_pswd

• 使用如下命令分別啓動生成和消費者。注意分別使用倆個終端（非後臺運行）。

# 啓動生成者
./bin/kafka-console-producer.sh --broker-list kafka.local:9093 --topic test --producer.config ./config/bob-ssl.properties

• 只要證書配置OK，啓動就會成功。接着輸入消息回車進行發送，會發現報錯如下。

macBook:kafka_2.12-2.3.0 nobleyd$ # 啓動生成者
macBook:kafka_2.12-2.3.0 nobleyd$ ./bin/kafka-console-producer.sh --broker-list kafka.local:9093 --topic test --producer.config ./config/bob-ssl.properties
>my first msg
[2019-11-25 18:56:29,966] WARN [Producer clientId=console-producer] Error while fetching metadata with correlation id 3 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2019-11-25 18:56:29,967] ERROR [Producer clientId=console-producer] Topic authorization failed for topics [test] (org.apache.kafka.clients.Metadata)
[2019-11-25 18:56:29,967] ERROR Error when sending message to topic test with key: null, value: 12 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [test]
> 

• 同時，可以查看kafka的日誌如下。

macBook:kafka_2.12-2.3.0 nobleyd$ tail -f logs/kafka-authorizer.log
[2019-11-25 18:56:29,963] INFO Principal = User:Bob is Denied Operation = Describe from host = 127.0.0.1 on resource = Topic:LITERAL:test (kafka.authorizer.logger)

• 同理，啓動消費者進程，不過，消費者進程則會等待幾秒後直接報錯（不要問爲什麼，沒啥好講的）。

macBook:kafka_2.12-2.3.0 nobleyd$ # 啓動消費者
macBook:kafka_2.12-2.3.0 nobleyd$ ./bin/kafka-console-consumer.sh --bootstrap-server kafka.local:9093 --topic test --consumer.config ./config/bob-ssl.properties
[2019-11-25 18:58:57,704] WARN [Consumer clientId=consumer-1, groupId=console-consumer-70366] Error while fetching metadata with correlation id 2 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2019-11-25 18:58:57,708] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-70366] Topic authorization failed for topics [test] (org.apache.kafka.clients.Metadata)
[2019-11-25 18:58:57,710] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [test]
Processed a total of 0 messages
macBook:kafka_2.12-2.3.0 nobleyd$

• 接下來，我們爲Bob授權。

bin/kafka-acls.sh --authorizer-properties zookeeper.connect=kafka.local:2181 \
                  --add \
                  --allow-principal User:Bob \
                  --allow-host * \
                  --operation ALL \
                  --topic test

• 授權之後生產者寫入就沒問題了。