CDH Kafka 配置权限未生效

阿瑞斯 发表于: 2020-12-21   最后更新时间: 2020-12-21  

我使用的是CDH中的Kafka,但是权限配置很多配置项在CDH 管理界面中搜索不到,所以直接在CDH服务器上的底层配置文件中设置相关属性

###### 权限配置 #######
listeners=SASL_PLAINTEXT://phm-data01:9092
security.inter.broker.protocal=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
sasl.enabled.mechanisms=SCRAM-SHA-256
inter.broker.listener.name=SASL_PLAINTEXT
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=true
super.users=User:admin

在CDH Kafka成功启动之后,但是权限配置并没有生效:

在代码中加入

properties.put("sasl.jaas.config","org.apache.kafka.common.security.scram.ScramLoginModule required username=\"admin\" password=\"123456\";");
properties.put("security.protocol", "SASL_PLAINTEXT");
properties.put("sasl.mechanism", "SCRAM-SHA-256");

会报错

Exception in thread "main" java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.IllegalSaslStateException: Unexpected handshake request with client mechanism SCRAM-SHA-256, enabled mechanisms are []
    at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
    at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
    at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
    at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
    at com.lingzhan.kafka.KafkaPrivilege.main(KafkaPrivilege.java:50)
Caused by: org.apache.kafka.common.errors.IllegalSaslStateException: Unexpected handshake request with client mechanism SCRAM-SHA-256, enabled mechanisms are []

这是因为在配置文件中配置的权限配置项没有生效吗?



您需要解锁本帖隐藏内容请: 点击这里
本帖隐藏的内容




上一条: Kafka-2.1.3中集群模式和广播模式的区别?以及应用场景?
下一条: kafka分区拉取消息问题

  • enabled mechanisms are []
    

    启用的机制是空,并没有生效,先看看kafka日志中是否有什么异常。
    另外,我看你配置里有些其他的认证方式,建议你注掉,防止干扰。
    可参考:https://www.orchome.com/1966
    先保证命令行可以运行成功。

    • 这个是跟使用的CDH Kafka有关吗?日志中有这个 security.inter.broker.protocol can not be set to SASL_PLAINTEXT, as Kerberos is not enabled on this Kafka broker.

        • PORT: 9092
          JMX_PORT: 9393
          SSL_PORT: 9093
          ENABLE_MONITORING: true
          METRIC_REPORTERS: nl.techop.kafka.KafkaHttpMetricsReporter
          BROKER_HEAP_SIZE: 1024
          BROKER_JAVA_OPTS: -server -XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:G1HeapRegionSize=16M -XX:MinMetaspaceFreeRatio=50 -XX:MaxMetaspaceFreeRatio=80 -XX:+DisableExplicitGC -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Dcom.sun.management.jmxremote.host=127.0.0.1 -Dcom.sun.management.jmxremote.local.only=true -Djava.rmi.server.hostname=127.0.0.1
          BROKER_SSL_ENABLED: false
          KERBEROS_AUTH_ENABLED: false
          DELEGATION_TOKEN_ENABLED: false
          KAFKA_PRINCIPAL:
          SECURITY_INTER_BROKER_PROTOCOL: INFERRED
          AUTHENTICATE_ZOOKEEPER_CONNECTION: true
          SUPER_USERS: kafka
          ZK_PRINCIPAL_NAME: zookeeper
          Final Zookeeper Quorum is phm-data01:2181,phm-data02:2181,phm-data03:2181/kafka
          security.inter.broker.protocol inferred as PLAINTEXT
          LISTENERS=listeners=PLAINTEXT://phm-data02:9092,

            CDH日志中描述:security.inter.broker.protocol can not be set to SASL_PLAINTEXT, as Kerberos is not enabled on this Kafka broker.
            这是必须要装Kerberos吗,我手动安装的Kafka集群并不需要这个步骤啊