apache-kafka - 如何在正在运行的集群中为 ACL 创建 Kafka 用户和使用者组？

The users (and their passwords) for the SASL PLAIN mechanism are configured in a JAAS configuration file. Assuming you have multiple Kafka nodes, you should keep this file in sync on all of them. Some example of how to configure it can be found here in the Kafka Docs. So unless you have some shared storage for this file, you might need to modify it multiple times.

You might want to consider using SCRAM instead of PLAIN. SCRAM stores the credentials (usernames and the hashes of their passwords) in Zookeeper and you can just change it using one of the Kafka utilities (more details again in the Kafka docs)

Just to be clear, the consumer groups are not related to user groups for ACL purposes. They are used to group the consumers to distribute the message load among them (by defining which consumers is assigned which partitions) and to store the last consumed offsets. I do not think the SASL PLAIN mechanism has any support for traditional user groups. I think that in most cases you don't really create these groups - they are created when the consumer starts using them.

The only way the consumer groups relate to ACLs is by allowing the different users to use the consumer groups. If you enable the SimpleAclAuthorizer, you can use the kafka-acls.sh utility to manage the ACLs. one of the permissions you can give to the users is the permissions to consume messages using a consumer group. More details about the ACLs and example how to use the kafka-acls.sh tool are in the Kafka Docs.