Kafka ssl 配置

Kafka SSL配置说明

所有配置主要参考官网文档。部分openssl操作可以参考：https://blog.csdn.net/bbwangj/article/details/82503675 这篇文章介绍。实际不需要记那么多。

操作

下载kafka_2.12-2.3.0并解压

macBook:kafka_2.12-2.3.0 nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0
macBook:kafka_2.12-2.3.0 nobleyd$ ls
LICENSE         NOTICE          bin             config          libs            site-docs
macBook:kafka_2.12-2.3.0 nobleyd$

创建相关目录

macBook:kafka_2.12-2.3.0 nobleyd$ mkdir ssl
macBook:kafka_2.12-2.3.0 nobleyd$ cd ssl/
macBook:ssl nobleyd$ ls
macBook:ssl nobleyd$ mkdir ca
macBook:ssl nobleyd$ mkdir client
macBook:ssl nobleyd$ mkdir server
macBook:ssl nobleyd$ ls
ca      client  server
macBook:ssl nobleyd$ 

创建CA的key和cer

• 生成CA私钥（key）

macBook:ssl nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0/ssl
macBook:ssl nobleyd$
macBook:ssl nobleyd$ openssl genrsa -out ca/ca.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
.......................+++
e is 65537 (0x10001)
macBook:ssl nobleyd$
macBook:ssl nobleyd$ cat ca/ca.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvqsYmyrQi26YvFYPpWeOqrqH4c3krPExmseHOGb5QcqkJJpD
IgxSeJ44/1yo0/ROy0L2bRVq6i1Mn/24k4RUiFBZfSZ7DuUSAFvQzUDi796LoJNu
giU0HaqgU8OcBs3znVxOneMbbO7BtRWhBd9Ef1fgIy9/gfFeDYjDoS7+mzGJwxAR
k/zw3Hkn411RejadEhtN+aazHfgnTnm8BDLEDekFI8gCit/jCRjvFpSdDSVIGBPz
8vfg4BHl7d2FE9AH4R5vK1DX0fkJh4z323ghf7/Wi5C+Vp9vXp+HnE/FDRt9++x/
mpgwS726unVQop6Xi2D8zir5nIfEf4Pc4OMWLwIDAQABAoIBAEjjJSPkCRbUL4UH
rTGA1fQEHH/AcqN+DIVrsxBnpO92pKrtYa55YWmEqqtL46oq4ZgoQAXRQy7EJF+g
4VdbJel6Nct202INRYVnk/lyzY3+2AeJdJxB1ptkp6d9xn5/apqEN/V5ZPmOh/RO
kWCqSggYMrGgrbCh8V9hIc/TJDd03nzVqJK4zy8asiLfzRXbQ0kKdVNW8VNxKcwA
ohBO1cT719jPID4GYr1ihptB3O8cfmLMeeQ4tIvV9YgzagSjR63Ut/RYhqGQ6fGL
Zv3lhzDxHNTJNECSDsi8vNZ8Lsd0NTRKoOBoxmPZHB7sCeXKJRfYYd+WDdyqtXsf
/chWc0ECgYEA5NmZNP8oDVjNXOwcX6fTg9biQmjvSwJ5THBimYfZkqNMQIRBx1fR
tiP5s32LvlL0A5/gPMfdagu65KQE7VVHR+CUEQ06FByMpr0EijDdGafX7tjdfDas
s7fTRZYMOTO0dfkGgBBx3+EIVkcV6H2NhtbCHZklpILT4QzqigtmYOECgYEA1Uni
DtynAmUhMvZVrZO5hhgqlR3MW5DJbQoGWwOhSFknN9FpGSaANuQRGdav8rby6PtV
2RDQ0q/QehPqCx51/GQvh2Dm1zmKeURNItg+3tzwvwpSdah+HiNSzAAaG7TptPY4
HG0vKk5orGXNFQKZiuWCrrDWUDLNpbsIKa5riQ8CgYEApCwyS6Gscv68vKeppzm3
dIIoaOnsmMwahqqtIWUiwZ6iajo3EjG/AUKHtKshIBVUdnEwJYpgHd5yYeoEmtot
u7OxpRXvD1R31noNErIBO5F8SB2NrrluZbM/PlFpTXP5RxSyBBdICgretz5hyhqf
+BaCxUcDiSRNqcphS0zoUiECgYEAokSnm6770LKn42HOJVSyXPadzvzwsOkilbZ+
x1enqKdLUwga8Wt9OEWjTQksq3fMrrwowBAvD1t7PKVR9kuib/a4wkJS3YOFemUg
WlYy3tMwxedQfPtHmB4/q7yYIGQvOeHpJpdavtEQibiZolZsAmRCXC1ln3ZHRsNY
nn14irkCgYEAzjQHLE08+p57GgSLnePFyTWgnDQNv0oebFDZZPZvB2f3WgP6cS1/
93gMV9OKYikHAqWxqhfRZeeg5RsNhOE3qGwruBWCn6ulNWUIlaJcvXC+R1AI9PQl
AWoZDKDaPK/ke9jflyOV46vfFUzHiw/UbikXoCrT2YzZ+s+dalfkEcU=
-----END RSA PRIVATE KEY-----
macBook:ssl nobleyd$

• 生成证书签名请求（csr）

 

macBook:ssl nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0/ssl
macBook:ssl nobleyd$ openssl req -new -key ca/ca.key -out ca/ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
macBook:ssl nobleyd$ cat ca/ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICmzCCAYMCAQAwVjELMAkGA1UEBhMCY24xETAPBgNVBAgMCHNoYW5naGFpMREw
DwYDVQQHDAhzaGFuZ2hhaTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvqsYmyrQi26YvFYP
pWeOqrqH4c3krPExmseHOGb5QcqkJJpDIgxSeJ44/1yo0/ROy0L2bRVq6i1Mn/24
k4RUiFBZfSZ7DuUSAFvQzUDi796LoJNugiU0HaqgU8OcBs3znVxOneMbbO7BtRWh
Bd9Ef1fgIy9/gfFeDYjDoS7+mzGJwxARk/zw3Hkn411RejadEhtN+aazHfgnTnm8
BDLEDekFI8gCit/jCRjvFpSdDSVIGBPz8vfg4BHl7d2FE9AH4R5vK1DX0fkJh4z3
23ghf7/Wi5C+Vp9vXp+HnE/FDRt9++x/mpgwS726unVQop6Xi2D8zir5nIfEf4Pc
4OMWLwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAD+yK2YONGSk86AMgtTNPy/s
cjSjrJF/IFwyyxZ0Z4YPzPCuEL+j39eEsaU2IQ7WCVNQ/25eHaZX+XMaMXyd1BqI
gNkwko94ZeU3FNSfFr7ObLMMRdI2+kcIdqeWqXlkFEgowAM/ZYOrDr2GYgj+KgAr
OvFVrbdncrkG4SBINDtVNm27YUz1aZ2c4ZXl3vr8EYixuUDVKuHc+SuKOuDHydf7
EgS10jqJSFzuriD0oC0NB/XOX77oSPnxs/QWnJKI2QP5ehFDu62pF/hdQIG3rcbH
KA1rvVdNlQ9pTh8m9oZBz+iyI/3DUjKCcdwN4Era69BHXIgSdQcqqRG1tY52PEY=
-----END CERTIFICATE REQUEST-----
macBook:ssl nobleyd$ 

• 自签名

macBook:ssl nobleyd$ pwd
/Applications/softwares/kafka_2.12-2.3.0/ssl
macBook:ssl nobleyd$
macBook:ssl nobleyd$ openssl x509 -req -in ca/ca.csr -signkey ca/ca.key -out ca/ca.pem
Signature ok
subject=/C=cn/ST=shanghai/L=shanghai/O=Internet Widgits Pty Ltd
Getting Private key
macBook:ssl nobleyd$
macBook:ssl nobleyd$ cat ca/ca.pem
-----BEGIN CERTIFICATE-----
MIIDKDCCAhACCQDIgoDWxjReuzANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJj
bjERMA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTkxMTIzMTE0NjI3WhcNMTkx
MjIzMTE0NjI3WjBWMQswCQYDVQQGEwJjbjERMA8GA1UECAwIc2hhbmdoYWkxETAP
BgNVBAcMCHNoYW5naGFpMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
dGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+qxibKtCLbpi8Vg+l
Z46quofhzeSs8TGax4c4ZvlByqQkmkMiDFJ4njj/XKjT9E7LQvZtFWrqLUyf/biT
hFSIUFl9JnsO5RIAW9DNQOLv3ougk26CJTQdqqBTw5wGzfOdXE6d4xts7sG1FaEF
30R/V+AjL3+B8V4NiMOhLv6bMYnDEBGT/PDceSfjXVF6Np0SG035prMd+CdOebwE
MsQN6QUjyAKK3+MJGO8WlJ0NJUgYE/Py9+DgEeXt3YUT0AfhHm8rUNfR+QmHjPfb
eCF/v9aLkL5Wn29en4ecT8UNG3377H+amDBLvbq6dVCinpeLYPzOKvmch8R/g9zg
4xYvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADqqtMoI3cxdQhoMXjs7T9gT00L6
smxZb5+AMbSkF15PgxcOmFqsLVAD/aVOGiQSDWO0epdupMnhTObxsqHXzkPTWQgE
UqmmmeOBQume8ipnliNOqK8qD/DQftdddx1O8g6rtHp/LXR01gDbuMsVLly8dZec
a6QJCFxIj+iqZvjY8kYtRKzSWXECda9Ti1yW0yNWCsGwpbwvnyE3u2SSRGp5bwaK
BMwSTo+KWMYn+BUoW5H7TmN2p54uCFIz8u/gQqkRxadHDVhATmNcdxtH+aQ03uml
yno7kGkX4bJhD8R+SDd04j74mbbansbKOirNOmVbdUt9/UFlpB+HK/6JEmo=
-----END CERTIFICATE-----
macBook:ssl nobleyd$
macBook:ssl nobleyd$ echo "00" > ca/ca.srl

• 如上俩个步骤貌似还可以合并为: openssl req -new -x509 -key ca/ca.key -out ca.pem （暂不纠结区别）
• 至此，ca/ca.key和ca/ca.pem全部生成ok。

macBook:ssl nobleyd$ openssl pkcs12 -export -clcerts -in ca/ca.pem -inkey ca/ca.key -out ca/ca.p12
Enter Export Password: capswd
Verifying - Enter Export Password: capswd
macBook:ssl nobleyd$ 

 

创建server的key和cer（类似）

 

创建client的key和cer（类似）

 

总结  | 注意仔细看下面脚本，和上边不是很一样，部分目录结构，以及参数选项在后续总结时候修改了下，如上部分无错误，只是不是最佳。

如上类似全部省略，下面是一个总结脚本，需要注意的是，有些和上边不同，主要是使用了x509 v3（即需要指定-extfile ./conf/openssl.cnf -extensions v3_req），其中openssl.cnf可以自行找找，安装了openssl后默认那个皆可。其次，生成csr时候需要输入的东西采用参数指定了，即不需要交互式输入。具体脚本如下。

HOST修改（Client认证Server一般会存在HostName Validation，因此测试需要改hosts实现下效果）

• 这个步骤也是必须的，在后续最终使用的时候需要能够匹配hostname才能成功访问kafka。

• # 修改host文件设置
  127.0.0.1 kafka.local

CA脚本

# init
rm -rf ca && mkdir -p ca
echo '00' > ca/ca.srl

# 1 生成私钥
openssl genrsa -out ca/ca.key 2048

# 2 生成证书签名请求文件
openssl req -new -key ca/ca.key -subj /C=CN/ST=ShangHai/L=ShangHai/O=DefaultOrg/OU=DefaultDept/CN=CaName -out ca/ca.csr

# 3 生成CA签名的证书（.pem .der）
openssl x509 -extfile ./conf/openssl.cnf -extensions v3_req -signkey ca/ca.key -days 36500 -req -in ca/ca.csr -out ca/ca.pem
openssl x509 -in ca/ca.pem -inform PEM -outform DER -out ca/ca.der

# 4 导入密钥库（.p12 .jks）
openssl pkcs12 -export -in ca/ca.pem -inkey ca/ca.key -name ca -out ca/ca.keystore.p12 -passout pass:pkcs12_ks_pswd
keytool -importkeystore \
        -srcstoretype pkcs12 \
        -srckeystore ca/ca.keystore.p12 \
        -srcstorepass pkcs12_ks_pswd \
        -deststoretype jks \
        -destkeystore ca/ca.keystore.jks \
        -deststorepass jks_ks_pswd \
        -srcalias ca \
        -destalias ca \
        -srckeypass pkcs12_ks_pswd \
        -destkeypass jks_k_pswd

# 5 查看证书文件
openssl x509 -in ca/ca.pem -text -noout
openssl x509 -in ca/ca.der -inform der -text -noout

Server脚本（默认使用了ServerName作为Server证书的CN字段，同时配合后续SSL配置ServerName作为超级用户，实现Broker之间的SSL连接）

# init
rm -rf server && mkdir -p server

# 1 生成私钥
openssl genrsa -out server/server.key 2048

# 2 生成证书签名请求文件
openssl req -new -key server/server.key -subj /C=CN/ST=ShangHai/L=ShangHai/O=DefaultOrg/OU=DefaultDept/CN=ServerName -out server/server.csr

# 3 生成CA签名的证书（.pem .der）
openssl x509 -extfile ./conf/openssl.cnf -extensions v3_req -CA ca/ca.pem -CAkey ca/ca.key -days 36500 -req -in server/server.csr -out server/server.pem
openssl x509 -in server/server.pem -inform PEM -outform DER -out server/server.der

# 4 导入密钥库（.p12 .jks）
openssl pkcs12 -export -in server/server.pem -inkey server/server.key -name server -out server/server.keystore.p12 -passout pass:pkcs12_ks_pswd
keytool -importkeystore \
        -srcstoretype pkcs12 \
        -srckeystore server/server.keystore.p12 \
        -srcstorepass pkcs12_ks_pswd \
        -deststoretype jks \
        -destkeystore server/server.keystore.jks \
        -deststorepass jks_ks_pswd \
        -srcalias server \
        -destalias server \
        -srckeypass pkcs12_ks_pswd \
        -destkeypass jks_k_pswd

# 5 查看证书文件
openssl x509 -in server/server.pem -text -noout
openssl x509 -in server/server.der -inform der -text -noout

# 6 信任 CA server
keytool -import -noprompt -file ca/ca.pem -keystore server/server.truststore.jks -storepass jks_ts_pswd -alias ca
keytool -importkeystore \
        -srcstoretype jks \
        -srckeystore server/server.truststore.jks \
        -srcstorepass jks_ts_pswd \
        -deststoretype pkcs12 \
        -destkeystore server/server.truststore.p12 \
        -deststorepass pkcs12_ts_pswd

Client脚本（可全文替换UserName为其他名称，对应证书中CN字段）

# init
rm -rf users/UserName && mkdir -p users/UserName

# 1 生成私钥
openssl genrsa -out users/UserName/UserName.key 2048

# 2 生成证书签名请求文件
openssl req -new -key users/UserName/UserName.key -subj /C=CN/ST=ShangHai/L=ShangHai/O=DefaultOrg/OU=DefaultDept/CN=UserName -out users/UserName/UserName.csr

# 3 生成CA签名的证书（.pem .der）
openssl x509 -extfile ./conf/openssl.cnf -extensions v3_req -CA ca/ca.pem -CAkey ca/ca.key -days 36500 -req -in users/UserName/UserName.csr -out users/UserName/UserName.pem
openssl x509 -in users/UserName/UserName.pem -inform PEM -outform DER -out users/UserName/UserName.der

# 4 导入密钥库（.p12 .jks）
openssl pkcs12 -export -in users/UserName/UserName.pem -inkey users/UserName/UserName.key -name UserName -out users/UserName/UserName.keystore.p12 -passout pass:pkcs12_ks_pswd
keytool -importkeystore \
        -srcstoretype pkcs12 \
        -srckeystore users/UserName/UserName.keystore.p12 \
        -srcstorepass pkcs12_ks_pswd \
        -deststoretype jks \
        -destkeystore users/UserName/UserName.keystore.jks \
        -deststorepass jks_ks_pswd \
        -srcalias UserName \
        -destalias UserName \
        -srckeypass pkcs12_ks_pswd \
        -destkeypass jks_k_pswd

# 5 查看证书文件
openssl x509 -in users/UserName/UserName.pem -text -noout
openssl x509 -in users/UserName/UserName.der -inform der -text -noout

# 6 信任 CA UserName
keytool -import -noprompt -file ca/ca.pem -keystore users/UserName/UserName.truststore.jks -storepass jks_ts_pswd -alias ca
keytool -importkeystore \
        -srcstoretype jks \
        -srckeystore users/UserName/UserName.truststore.jks \
        -srcstorepass jks_ts_pswd \
        -deststoretype pkcs12 \
        -destkeystore users/UserName/UserName.truststore.p12 \
        -deststorepass pkcs12_ts_pswd

Kafka 配置

• 首先，明确下上边的配置和官网文档不是完全一致。官网在truststore中导入了ca的证书（和我们一致）；在keystore中导入了自身证书以及ca的证书（我们仅导入ca的证书）。这个无影响。
• 配置kafka自身部分

# id 随机一个值即可，多个broker必须不同，我们测试仅一个broker。
broker.id=0

# 配置监听地址
listeners=PLAINTEXT://:9092

# kafka数据存放位置
log.dirs=/Applications/softwares/kafka_2.12-2.3.0/kafka-logs

• SSL配置片段1

# If SSL is not enabled for inter-broker communication (see below for how to enable it), both PLAINTEXT and SSL ports will be necessary.
# listeners=PLAINTEXT://host.name:port,SSL://host.name:port

# 以上是官网说明，翻译下为：如果未开启broker之间的ssl，则必须同时提供PLAINTEXT监听地址。
# listeners=PLAINTEXT://kafka.local:9092,SSL://kafka.local:9093
# 我们采用纯SSL配置，否则端口泄漏的话，SSL形如虚设。
listeners=SSL://kafka.local:9093

# 可通过如下方式开启broker之间的ssl
security.inter.broker.protocol=SSL

• SSL配置片段2

# 配置 SSL 。
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.secure.random.implementation=SHA1PRNG

# 配置 keystore 。
ssl.keystore.type=JKS
ssl.keystore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/server/server.keystore.jks
ssl.keystore.password=jks_ks_pswd
ssl.key.password=jks_k_pswd

# 配置 truststore 。
ssl.truststore.type=JKS
ssl.truststore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/server/server.truststore.jks
ssl.truststore.password=jks_ts_pswd

# 配置客户端验证
# ssl.client.auth=none/requested/required
ssl.client.auth=required

# 配置客户端权限/ACL
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

# 配置使用CN字段作为User的压缩名称
ssl.principal.mapping.rules=RULE:^CN=([^,]*?),.*$/$1/

# 配置超级用户（注意Broker之间存在SSL连接需要超级用户ServerName；管理需要超级用户KafkaAdmin）
super.users=User:ServerName;User:KafkaAdmin

• 启动单节点Kafka

# 由于是测试，我们就不单独配置zk了，直接使用kafka默认的zk即可。
# 修改zk配置（/Applications/softwares/kafka_2.12-2.3.0/config/zookeeper.properties）如下：

dataDir=/Applications/softwares/kafka_2.12-2.3.0/zk_data

# 启动zk
./bin/zookeeper-server-start.sh -daemon ./config/zookeeper.properties

# 对应的停止zk命令如下
./bin/zookeeper-server-stop.sh


# 启动kafka
./bin/kafka-server-start.sh -daemon ./config/server.properties 

# 对应的停止kafka命令如下
./bin/kafka-server-stop.sh

• 快速测试

• openssl s_client -debug -connect localhost:9093 -tls1

• 消息生产和消费测试。
• 替换client脚本中UserName为KafkaAdmin并生成KafkaAdmin的相关证书，然后配置如下文件。

# 配置 config/kafka-admin-ssl.properties 。
# 1 新增如下配置内容
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
security.protocol=SSL

# 2 配置 truststore 。
ssl.truststore.type=JKS
ssl.truststore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/KafkaAdmin/KafkaAdmin.truststore.jks
ssl.truststore.password=jks_ts_pswd

# 3 配置 keystore 。
ssl.keystore.type=JKS
ssl.keystore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/KafkaAdmin/KafkaAdmin.keystore.jks
ssl.keystore.password=jks_ks_pswd
ssl.key.password=jks_k_pswd

• 使用如下命令分别启动生成和消费者。注意分别使用俩个终端（非后台运行）。

• # 启动生成者
  ./bin/kafka-console-producer.sh --broker-list kafka.local:9093 --topic test --producer.config ./config/kafka-admin-ssl.properties

• # 启动消费者
  ./bin/kafka-console-consumer.sh --bootstrap-server kafka.local:9093 --topic test --consumer.config ./config/kafka-admin-ssl.properties

• 注意，以上2命令只要不报错即是启动成功。直接在生产者进程标准输入中输入消息，回车即可发送。在消费者进程的终端则则会陆续看打印出收到的消息。

Authorization & ACL

• 在如上的总结配置中实际已经完成了Authorization的全部配置，甚至包括部分ACL的配置，比如超级用户。下面我们会简单尝试几个具体的ACL管理命令的使用。
• 新增Bob的证书配置

# 配置 config/bob-ssl.properties 。
# 1 新增如下配置内容
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
security.protocol=SSL

# 2 配置 truststore 。
ssl.truststore.type=JKS
ssl.truststore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/Bob/Bob.truststore.jks
ssl.truststore.password=jks_ts_pswd

# 3 配置 keystore 。
ssl.keystore.type=JKS
ssl.keystore.location=/Applications/softwares/kafka_2.12-2.3.0/ssl/users/Bob/Bob.keystore.jks
ssl.keystore.password=jks_ks_pswd
ssl.key.password=jks_k_pswd

• 使用如下命令分别启动生成和消费者。注意分别使用俩个终端（非后台运行）。

# 启动生成者
./bin/kafka-console-producer.sh --broker-list kafka.local:9093 --topic test --producer.config ./config/bob-ssl.properties

• 只要证书配置OK，启动就会成功。接着输入消息回车进行发送，会发现报错如下。

macBook:kafka_2.12-2.3.0 nobleyd$ # 启动生成者
macBook:kafka_2.12-2.3.0 nobleyd$ ./bin/kafka-console-producer.sh --broker-list kafka.local:9093 --topic test --producer.config ./config/bob-ssl.properties
>my first msg
[2019-11-25 18:56:29,966] WARN [Producer clientId=console-producer] Error while fetching metadata with correlation id 3 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2019-11-25 18:56:29,967] ERROR [Producer clientId=console-producer] Topic authorization failed for topics [test] (org.apache.kafka.clients.Metadata)
[2019-11-25 18:56:29,967] ERROR Error when sending message to topic test with key: null, value: 12 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [test]
> 

• 同时，可以查看kafka的日志如下。

macBook:kafka_2.12-2.3.0 nobleyd$ tail -f logs/kafka-authorizer.log
[2019-11-25 18:56:29,963] INFO Principal = User:Bob is Denied Operation = Describe from host = 127.0.0.1 on resource = Topic:LITERAL:test (kafka.authorizer.logger)

• 同理，启动消费者进程，不过，消费者进程则会等待几秒后直接报错（不要问为什么，没啥好讲的）。

macBook:kafka_2.12-2.3.0 nobleyd$ # 启动消费者
macBook:kafka_2.12-2.3.0 nobleyd$ ./bin/kafka-console-consumer.sh --bootstrap-server kafka.local:9093 --topic test --consumer.config ./config/bob-ssl.properties
[2019-11-25 18:58:57,704] WARN [Consumer clientId=consumer-1, groupId=console-consumer-70366] Error while fetching metadata with correlation id 2 : {test=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2019-11-25 18:58:57,708] ERROR [Consumer clientId=consumer-1, groupId=console-consumer-70366] Topic authorization failed for topics [test] (org.apache.kafka.clients.Metadata)
[2019-11-25 18:58:57,710] ERROR Error processing message, terminating consumer process:  (kafka.tools.ConsoleConsumer$)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [test]
Processed a total of 0 messages
macBook:kafka_2.12-2.3.0 nobleyd$

• 接下来，我们为Bob授权。

bin/kafka-acls.sh --authorizer-properties zookeeper.connect=kafka.local:2181 \
                  --add \
                  --allow-principal User:Bob \
                  --allow-host * \
                  --operation ALL \
                  --topic test

• 授权之后生产者写入就没问题了。