kafka第三方開源SSL庫
阿新 • • 發佈:2019-02-03
簡介
kafka 0.8.2以前官方沒有提供對安全機制的支援,在github上,有個叫kafka-ssl的開源專案,本文將介紹該專案的安裝與使用。
安裝
下載kafka-ssl的最新版本 自定義服務端和客戶端的keystore認證檔案生成server的keystore
keytool -genkey -alias server -keypass kafkasure -keyalg RSA -keysize 1024-validity 365-keystore myserver.keystore -storepass surekafka -dname "CN=opensure, OU=xxxx, O=xxxx , L=shanghai, ST=shanghai, C=CN"
匯出server的trustedCertEntry
keytool -v -export -file myserver.cer -keystore myserver.keystore -alias server -storepass surekafka
生成client的keystore
keytool -genkey -alias client -keypass kafkasure -keyalg RSA -keysize 1024-validity 365-keystore myclient.keystore -storepass surekafka -dname "CN=opensure, OU=xxxx, O=xxxx, L=shanghai, ST=shanghai, C=CN"
匯出client的trustedCertEntry
keytool -v -export -file myclient.cer -keystore myclient.keystore -alias client -storepass surekafka
將server的trustedCertEntry匯入到client的keystore中
keytool -import -keystore myclient.keystore -file myserver.cer - alias server -keypass kafkasure -storepass surekafka
輸入:是
將client的trustedCertEntry匯入到server的keystore中
keytool -import -keystore myserver.keystore -file myclient.cer -alias client -keypass kafkasure -storepass surekafka
輸入:是
這時檢視client和server的keystore檔案就都有PrivateKeyEntry和trustedCertEntry了
keytool -list -v -keystore myserver.keystore -storepass surekafka
keytool -list -v -keystore myclient.keystore -storepass surekafka
client.security.properties# Keystore file
keystore.type=jks
keystore=config/myclient.keystore
keystorePwd=surekafka
keyPwd=kafkasure
# Truststore file
truststore=config/myclient.keystore
truststorePwd=surekafka
server.security.properties#type of keystore
keystore.type=jks
# Request client auth
want.client.auth=true
# Require client auth
need.client.auth=true
# Keystore file
keystore=config/myserver.keystore
keystorePwd=surekafka
keyPwd=kafkasure
# Truststore file
truststore=config/myserver.keystore
truststorePwd=surekafka
#打包成release的gz檔案
./gradlew releaseTarGz
#啟動zookeeper
bin/zookeeper-server-start.sh config/zookeeper.properties
#啟動kafka broker
bin/kafka-server-start.sh config/server.properties
#建立topic
bin/kafka-topics.sh --create --zookeeper name:2182--replication-factor 1--partitions 1--topic test2
#生產
bin/kafka-console-producer.sh --broker-list name:9092--secure --client.security.file config/client.security.properties --topic test2
#消費
bin/kafka-console-consumer.sh --security.config.file config/client.security.properties -zookeeper name:2182--topic test2
#打包成release的gz檔案
./gradlew releaseTarGz
#啟動zookeeper
bin/zookeeper-server-start.sh config/zookeeper.properties
#啟動kafka broker
bin/kafka-server-start.sh config/server.properties
#建立topic
bin/kafka-topics.sh --create --zookeeper name:2182--replication-factor 1--partitions 1--topic test2
#生產
bin/kafka-console-producer.sh --broker-list name:9092--secure --client.security.file config/client.security.properties --topic test2
#消費
bin/kafka-console-consumer.sh --security.config.file config/client.security.properties -zookeeper name:2182--topic test2
使用
Java Api消費示例:kafka-ssl0.8.2\src\consumer\ConsumerGroupExample.java Java Api生產示例:kafka-ssl0.8.2\src\consumer\ReadLocalProducer.java注意: 1、注意在windows上執行會沒有反映和輸出,在linux上執行即可,依賴的lib可以在release的lib目錄下找到。 2、java api中消費時需指定引數:
props.put("security.config.file","/opt/kafka_2.10-0.8.2-SNAPSHOT/config/client.security.properties");
3、java api中生產是需指定引數:
props.put("secure","true");
props.put("client.security.file","/opt/kafka_2.10-0.8.2-SNAPSHOT/config/client.security.properties");
#打包成release的gz檔案
./gradlew releaseTarGz
#啟動zookeeper
bin/zookeeper-server-start.sh config/zookeeper.properties
#啟動kafka broker
bin/kafka-server-start.sh config/server.properties
#建立topic
bin/kafka-topics.sh --create --zookeeper name:2182--replication-factor 1--partitions 1--topic test2
#生產
bin/kafka-console-producer.sh --broker-list name:9092--secure --client.security.file config/client.security.properties --topic test2
#消費
bin/kafka-console-consumer.sh --security.config.file config/client.security.properties -zookeeper name:2182--topic test2