为 /kafka-acl/TransactionalId 创建 ACL NoAuth 时出现 Kafka 错误

编程问答 2022-05-30

问题描述

我正在尝试使用 confluent 6.0.1 社区版设置我的第一个 Kafka 集群。 我有三个 zookeeper 和三个 kafka 节点。 三个服务器节点是:

  1. kafkaserver1
  2. kafkaserver2
  3. kafkaserver3

每个节点运行zookeeper和kafka服务。 身份验证是:SASL_SSL 使用 SCRAM-SHA-256

zookeeper 和 kafka 服务似乎都运行良好,但是当我尝试分配 ACL 时,出现以下错误

Error while executing ACL command: KeeperErrorCode = NoAuth for /kafka-acl/TransactionalId
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /kafka-acl/TransactionalId
        at org.apache.zookeeper.KeeperException.create(KeeperException.java:120)
        at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
        at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:564)
        at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1646)
        at kafka.zk.KafkaZkClient.$anonfun$createAclPaths$2(KafkaZkClient.scala:1111)
        at kafka.zk.KafkaZkClient.$anonfun$createAclPaths$2$adapted(KafkaZkClient.scala:1111)
        at scala.collection.immutable.HashSet.foreach(HashSet.scala:932)
        at kafka.zk.KafkaZkClient.$anonfun$createAclPaths$1(KafkaZkClient.scala:1111)
        at kafka.zk.KafkaZkClient.$anonfun$createAclPaths$1$adapted(KafkaZkClient.scala:1109)
        at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
        at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
        at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
        at kafka.zk.KafkaZkClient.createAclPaths(KafkaZkClient.scala:1109)
        at kafka.security.authorizer.AclAuthorizer.configure(AclAuthorizer.scala:169)
        at kafka.admin.AclCommand$AuthorizerService.addAcls(AclCommand.scala:212)
        at kafka.admin.AclCommand$.main(AclCommand.scala:70)
        at kafka.admin.AclCommand.main(AclCommand.scala)

zookeeper.properties(三个服务器都一样)

tickTime=2000
dataDir=/var/lib/confluent/zookeeper/
clientPort=2181
initLimit=5
synclimit=2
server.1=kafkaserver1:2888:3888
server.2=kafkaserver2:2888:3888
server.3=kafkaserver3:2888:3888
autopurge.snapRetainCount=3
autopurge.purgeInterval=24


authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
authProvider.2=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
authProvider.3=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
requireClientAuthScheme=sasl

server.properties(所有节点都相同)

security.inter.broker.protocol=SASL_SSL
ssl.client.auth=required
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
sasl.enabled.mechanisms=SCRAM-SHA-512,PLAIN,SCRAM-SHA-256
ssl.keymanager.algorithm=SunX509
ssl.keystore.location=/opt/confluent-community/certs/kafka.server.keystore.jks
ssl.keystore.password=Password1
ssl.key.password=Password1
ssl.keystore.type=JKS
ssl.protocol=TLS
ssl.trustmanager.algorithm=PKIX
ssl.truststore.location=/opt/confluent-community/certs/kafka.server.truststore.jks
ssl.truststore.password=Password1
ssl.truststore.type=JKS
#authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
super.users=User:admin
zookeeper.set.acl=true
allow.everyone.if.no.acl.found=true

server.properties(特定于节点。为简单起见,仅包括“kafkaserver1”节点)

listeners=PLAINTEXT://kafkaserver1:9092,SSL://kafkaserver1:9093,SASL_SSL://kafkaserver1:9094
advertised.listeners=PLAINTEXT://kafkaserver1:9092,SSL://kafkaserver1,SASL_SSL://kafkaserver1:9094
zookeeper.connect=kafkaserver1:2181,kafkaserver2:2181,kafkaserver3:2181

Zookeeper Jaas 配置文件(所有节点都一样)

Server {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       user_super="Architecture@20"
       user_kafka="Kafka@20";
};

Kaka Jaas 配置文件(所有节点都一样)

KafkaServer {
   org.apache.kafka.common.security.scram.ScramLoginModule required
   username="admin"
   password="admin-secret";
};

Client {
   org.apache.zookeeper.server.auth.DigestLoginModule required
   username="kafka"
   password="kafka-secret"
   user-admin="admin";
};

我启动了zookeeper节点..并使用以下内容创建了管理ACL:

$KAFKA_HOME/bin/kafka-configs.sh --zookeeper kafkaserver1:2181,kafkaserver3:2181 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name admin

创建的演示用户如下图所示

$KAFKA_HOME/bin/kafka-configs.sh --zookeeper kafkaserver1:2181,kafkaserver3:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=demouser-secret],SCRAM-SHA-512=[password=demouser-secret]' --entity-type users --entity-name demouser

到目前为止,一切都运行良好..

现在,下一步是通过执行以下操作将 ACL 分配给演示用户(这应该理想地创建一个主题并为用户添加 ACL)

$KAFKA_HOME/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=kafkaserver1:2181,kafkaserver3:2181 --add --allow-principal User:demouser --operation Create --operation Describe  --topic demo-topic

当我执行上面的命令时,它抛出一个在线程开始时提到的错误

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

apache-kafkaapache-zookeeper