kafka认证方式
对于连接kafka,
常见安全协议组合:
-
PLAINTEXT: 不加密,不认证 -
SSL: 仅TLS加密 -
SASL_PLAINTEXT: SASL认证,不加密 -
SASL_SSL: SASL认证+TLS加密(最安全)
1. PLAINTEXT (不加密,不认证)
Properties props = new Properties();
props.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, "kafka-broker1:9092,kafka-broker2:9092");
props.put(ConsumerConfig.GROUP_ID_CONFIG, "test-group");
props.put(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class.getName());
props.put(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class.getName());
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "PLAINTEXT"); // 可省略(默认值)
KafkaConsumer<String, String> consumer = new KafkaConsumer<>(props);
2. SSL (仅TLS加密)
Properties props = new Properties();
props.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, "kafka-broker1:9093");
props.put(ConsumerConfig.GROUP_ID_CONFIG, "ssl-group");
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
// SSL配置(与生产者相同)
props.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, "/path/to/client.truststore.jks");
props.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "truststore-password");
// 如果需要双向认证
props.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, "/path/to/client.keystore.jks");
props.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, "keystore-password");
props.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, "key-password");
// 消费者特有配置
props.put(ConsumerConfig.AUTO_OFFSET_RESET_CONFIG, "earliest");
props.put(ConsumerConfig.ENABLE_AUTO_COMMIT_CONFIG, "false");
KafkaConsumer<String, String> consumer = new KafkaConsumer<>(props);
3. SASL_PLAINTEXT (SASL认证,不加密)
3.1 PLAIN机制
Properties props = new Properties();
props.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, "kafka-broker1:9094");
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
props.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
props.put(SaslConfigs.SASL_JAAS_CONFIG,
"org.apache.kafka.common.security.plain.PlainLoginModule required "
+ "username=\"your-username\" "
+ "password=\"your-password\";");
// 消费者特有配置
props.put(ConsumerConfig.GROUP_ID_CONFIG, "sasl-group");
props.put(ConsumerConfig.MAX_POLL_RECORDS_CONFIG, "500");
KafkaConsumer<String, String> consumer = new KafkaConsumer<>(props);
3.2 SCRAM-SHA-256机制
props.put(SaslConfigs.SASL_MECHANISM, "SCRAM-SHA-256");
props.put(SaslConfigs.SASL_JAAS_CONFIG,
"org.apache.kafka.common.security.scram.ScramLoginModule required "
+ "username=\"your-username\" "
+ "password=\"your-password\";");
3.3 Kerberos (GSSAPI) 机制
props.put(SaslConfigs.SASL_MECHANISM, "GSSAPI");
props.put(SaslConfigs.SASL_JAAS_CONFIG,
"com.sun.security.auth.module.Krb5LoginModule required "
+ "useKeyTab=true "
+ "storeKey=true "
+ "keyTab=\"/path/to/keytab.keytab\" "
+ "principal=\"kafka-client@YOUR.REALM\";");
props.put(SaslConfigs.SASL_KERBEROS_SERVICE_NAME, "kafka");
4. SASL_SSL (SASL认证 + TLS加密)
Properties props = new Properties();
props.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, "kafka-broker1:9095");
props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
// SSL配置
props.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, "/path/to/client.truststore.jks");
props.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "truststore-password");
// SASL配置(以PLAIN为例)
props.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
props.put(SaslConfigs.SASL_JAAS_CONFIG,
"org.apache.kafka.common.security.plain.PlainLoginModule required "
+ "username=\"your-username\" "
+ "password=\"your-password\";");
// 消费者特有配置
props.put(ConsumerConfig.GROUP_ID_CONFIG, "secure-group");
props.put(ConsumerConfig.ISOLATION_LEVEL_CONFIG, "read_committed"); // 配合事务使用
props.put(ConsumerConfig.AUTO_OFFSET_RESET_CONFIG, "earliest");
KafkaConsumer<String, String> consumer = new KafkaConsumer<>(props);
浙公网安备 33010602011771号