apache-kafka - 使用 TLS 的节点之间的 Kafka 授权

问题描述

我在 Kafka 2.6 上使用授权 ACL 很糟糕。我有 TLS 设置并且在我的客户端应用程序和所有 kafka 节点之间工作正常。我在 server.properties 文件中有 acl 属性

#TLS Portion
advertised.listeners=SSL://10.1.1.2:9092
listeners=SSL://:9092
ssl.keystore.location=/opt/kafka/keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=/opt/kafka/truststore.jks
ssl.truststore.password=password
ssl.enabled.protocols=TLSv1.2
ssl.client.auth=required
security.inter.broker.protocol=SSL
security.protocol=SSL

#ACL Portion
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
allow.everyone.if.no.acl.found=false
super.users=User:CN=me@me.me

I have DEBUG enabled for the authorization logs. If I set the allow.everyone~ to true it works, because it stops worrying about authorization/ACLs I presume and currently the super.users value is being used for my client app and working fine per the DEBUG messages.

As I start the service on each node I get the ClusterAction not permitted when the node look like they are attempting to request UpdateMetadata from one another.

I have applied ACL entry assuming the server CN=server.side

bin/kafka-acls.sh --authorizer kafka.security.authorizer.AclAuthorizer --authorizer-properties zookeeper.connect=10.1.1.5:2181 --add --allow-principal User:CN=server.side  --operation ClusterAction --cluster sample-cluster

across all nodes, no dice.

I attempt to set with --operation ALL and that didn't work. I also attempt to point the command at the node instead with --bootstrap-server and this is failing to return anything at all and I can a timeout error ( I am guessing that it takes the ACL entry but then can't propagate it out to the other nodes because of the above issue).

我已经为不同权限方案的主题、消费者和生产者添加了 ACL，但这似乎只发生在节点尝试交叉通信时启动时。结果，我最终得到了客户端应用程序消费者和生产者，它们可以连接、授权到各自的主题，但最终没有领导元数据问题。

我整天都在谷歌上；有谁熟悉这个？TIA

标签： apache-kafkaacltls1.2