问题描述
我正在尝试设置我的 kafka 集群以接受 SASL_SSL / SCRAM 身份验证。 首先,一切正常,客户端使用 SASL_SSL / GSSAPI 进行连接。我的 Zk 服务器也配置为 SASL 身份验证和 TLS。
我正在为 Kafka 和 Zk 使用融合的 docker 镜像:
- confluentinc/cp-kafka:6.0.1
- confluentinc/cp-zookeeper:5.5.3-3
所以我只是修改了我的设置以允许在 Kafka 中使用 SCRAM-SHA-512:KAFKA_SASL_ENABLED_MECHANISMS=GSSAPI,SCRAM-SHA-512
在 these instructions 之后,我现在想在 Zk 中添加用户,这就是问题的开始(来自 Kafka 节点):
[root@kafka1 [RCI] ~]# /usr/bin/podman exec kafka kafka-configs --zk-tls-config-file /etc/kafka/secrets/zk-ssl.properties --zookeeper Zk:3181 --alter --entity-type topics --entity-name test_jerome --add-config 'retention.ms=1'
Warning: --zookeeper is deprecated and will be removed in a future version of Kafka.
Use --bootstrap-server instead to specify a broker to connect to.
[2021-01-21 17:44:14,807] WARN zookeeper.ssl.keyStore.location not specified (org.apache.zookeeper.common.X509Util)
Error while executing config command with args '--zk-tls-config-file /etc/kafka/secrets/zk-ssl.properties --zookeeper Zk:3181 --alter --entity-type topics --entity-name test_jerome --add-config retention.ms=1'
org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode = InvalidACL for /config/changes
at org.apache.zookeeper.KeeperException.create(KeeperException.java:128)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:564)
at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1646)
at kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1568)
at kafka.zk.KafkaZkClient.createConfigChangeNotification(KafkaZkClient.scala:395)
at kafka.zk.AdminZkClient.changeEntityConfig(AdminZkClient.scala:385)
at kafka.zk.AdminZkClient.changetopicConfig(AdminZkClient.scala:342)
at kafka.zk.AdminZkClient.changeConfigs(AdminZkClient.scala:278)
at kafka.admin.ConfigCommand$.alterConfigWithZk(ConfigCommand.scala:167)
at kafka.admin.ConfigCommand$.processCommandWithZk(ConfigCommand.scala:118)
at kafka.admin.ConfigCommand$.main(ConfigCommand.scala:92)
at kafka.admin.ConfigCommand.main(ConfigCommand.scala)
Error: non zero exit code: 1: OCI runtime error
ZK 日志并没有真正的帮助:
[2021-01-21 17:58:08,333] INFO Successfully authenticated client: authenticationID=admin; authorizationID=admin. (org.apache.zookeeper.server.auth.SaslServerCallbackHandler)
[2021-01-21 17:58:08,333] INFO Setting authorizedID: admin (org.apache.zookeeper.server.auth.SaslServerCallbackHandler)
[2021-01-21 17:58:08,334] INFO adding SASL authorization for authorizationID: admin (org.apache.zookeeper.server.ZooKeeperServer)
[2021-01-21 17:58:08,334] INFO adding SASL authorization for authorizationID: admin (org.apache.zookeeper.server.ZooKeeperServer)
如您所见,SASL 身份验证有效,并且可以很好地识别管理员用户。
如果我登录到 Zk shell(从 Zk 节点),您可以看到 acl 已完全打开:
getAcl /config/users
'world,'anyone
: cdrwa
getAcl /config
'world,'anyone
: cdrwa
getAcl /
'world,'anyone
: cdrwa
如果我在 Zk shell(从 Zk 节点)内创建目录,它会起作用:
create /config/users/topicctl
Created /config/users/topicctl
执行此操作时,Zk 服务器上没有日志,因为我没有进行身份验证。
请问可能是什么问题?
解决方法
感谢这篇文章,我终于找到了我的问题:Kafka not starting up if zookeeper.set.acl is set to true
我刚刚将此信息添加到 KAFKA_OPTS 环境变量中:"-Dzookeeper.kerberos.removeHostFromPrincipal=true -Dzookeeper.kerberos.removeRealmFromPrincipal=true -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider -Dzookeeper.requireClientAuthScheme=sasl"
我现在的主要问题是:为什么 sasl 身份验证在此之前有效!