Security Configuration
Apache Kafka 支持客户端和代理之间的安全连接。要利用此功能,请遵循 Apache Kafka Documentation 以及 Kafka 0.9 security guidelines from the Confluent documentation 中的准则。使用 spring.cloud.stream.kafka.binder.configuration 选项来设置粘合剂创建的所有客户端的安全属性。
Apache Kafka supports secure connections between client and brokers.
To take advantage of this feature, follow the guidelines in the Apache Kafka Documentation as well as the Kafka 0.9 security guidelines from the Confluent documentation.
Use the spring.cloud.stream.kafka.binder.configuration option to set security properties for all clients created by the binder.
例如,要将 security.protocol 设置为 SASL_SSL,请设置以下属性:
For example, to set security.protocol to SASL_SSL, set the following property:
spring.cloud.stream.kafka.binder.configuration.security.protocol=SASL_SSL所有其他安全属性都可以以类似的方式设置。
All the other security properties can be set in a similar manner.
使用 Kerberos 时,请按照 reference documentation 中的说明创建 JAAS 配置并引用它。
When using Kerberos, follow the instructions in the reference documentation for creating and referencing the JAAS configuration.
Spring Cloud Stream 支持通过使用 JAAS 配置文件和使用 Spring Boot 属性将 JAAS 配置信息传递给应用程序。
Spring Cloud Stream supports passing JAAS configuration information to the application by using a JAAS configuration file and using Spring Boot properties.
Using JAAS Configuration Files
可以使用系统属性为 Spring Cloud Stream 应用程序设置 JAAS 和(可选)krb5 文件位置。以下示例演示如何通过使用 JAAS 配置文件使用 SASL 和 Kerberos 启动 Spring Cloud Stream 应用程序:
The JAAS and (optionally) krb5 file locations can be set for Spring Cloud Stream applications by using system properties. The following example shows how to launch a Spring Cloud Stream application with SASL and Kerberos by using a JAAS configuration file:
java -Djava.security.auth.login.config=/path.to/kafka_client_jaas.conf -jar log.jar \
--spring.cloud.stream.kafka.binder.brokers=secure.server:9092 \
--spring.cloud.stream.bindings.input.destination=stream.ticktock \
--spring.cloud.stream.kafka.binder.configuration.security.protocol=SASL_PLAINTEXTUsing Spring Boot Properties
作为拥有 JAAS 配置文件的替代方案,Spring Cloud Stream 提供了一种通过使用 Spring Boot 属性为 Spring Cloud Stream 应用程序设置 JAAS 配置的机制。
As an alternative to having a JAAS configuration file, Spring Cloud Stream provides a mechanism for setting up the JAAS configuration for Spring Cloud Stream applications by using Spring Boot properties.
以下属性可用于配置 Kafka 客户端的登录上下文:
The following properties can be used to configure the login context of the Kafka client:
- spring.cloud.stream.kafka.binder.jaas.loginModule
-
The login module name. Not necessary to be set in normal cases.
默认值:
com.sun.security.auth.module.Krb5LoginModule。
Default: com.sun.security.auth.module.Krb5LoginModule.
- spring.cloud.stream.kafka.binder.jaas.controlFlag
-
The control flag of the login module.
默认值:
required。
Default: required.
- spring.cloud.stream.kafka.binder.jaas.options
-
Map with a key/value pair containing the login module options.
默认值:空映射。
Default: Empty map.
以下示例演示如何通过使用 Spring Boot 配置属性使用 SASL 和 Kerberos 启动 Spring Cloud Stream 应用程序:
The following example shows how to launch a Spring Cloud Stream application with SASL and Kerberos by using Spring Boot configuration properties:
java --spring.cloud.stream.kafka.binder.brokers=secure.server:9092 \
--spring.cloud.stream.bindings.input.destination=stream.ticktock \
--spring.cloud.stream.kafka.binder.autoCreateTopics=false \
--spring.cloud.stream.kafka.binder.configuration.security.protocol=SASL_PLAINTEXT \
--spring.cloud.stream.kafka.binder.jaas.options.useKeyTab=true \
--spring.cloud.stream.kafka.binder.jaas.options.storeKey=true \
--spring.cloud.stream.kafka.binder.jaas.options.keyTab=/etc/security/keytabs/kafka_client.keytab \
--spring.cloud.stream.kafka.binder.jaas.options.principal=kafka-client-1@EXAMPLE.COM前面的示例表示以下 JAAS 文件的等效内容:
The preceding example represents the equivalent of the following JAAS file:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_client.keytab"
principal="kafka-client-1@EXAMPLE.COM";
};如果所需主题已存在于代理中,或将由管理员创建,则可以关闭自动创建,并且只需要发送客户端 JAAS 属性。
If the topics required already exist on the broker or will be created by an administrator, autocreation can be turned off and only client JAAS properties need to be sent.
|
请勿在同一应用程序中混用 JAAS 配置文件和 Spring Boot 属性。如果 |
|
Do not mix JAAS configuration files and Spring Boot properties in the same application.
If the |
|
在与 Kerberos 一起使用 |
|
Be careful when using the |
Multi-binder configuration and JAAS
当连接到一个拥有独立 JAAS 配置的多集群中时,随后可通过属性 sasl.jaas.config 来设置 JAAS 配置。当应用中出现此属性时,它将优于上述其他策略。有关更多详细信息,请参阅此 KIP-85。
When connecting to multiple clusters in which each one requires separate JAAS configuration, then set the JAAS configuration using the property sasl.jaas.config.
When this property is present in the application, it takes precedence over the other strategies mentioned above.
See this KIP-85 for more details.
例如,如果您的应用程序中包含两个群集和两个单独的 JAAS 配置,则以下是一个您可以使用的模板:
For example, if you have two clusters in your application with separate JAAS configuration, then the following is a template that you can use:
spring.cloud.stream:
binders:
kafka1:
type: kafka
environment:
spring:
cloud:
stream:
kafka:
binder:
brokers: localhost:9092
configuration.sasl.jaas.config: "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"admin\" password=\"admin-secret\";"
kafka2:
type: kafka
environment:
spring:
cloud:
stream:
kafka:
binder:
brokers: localhost:9093
configuration.sasl.jaas.config: "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"user1\" password=\"user1-secret\";"
kafka.binder:
configuration:
security.protocol: SASL_PLAINTEXT
sasl.mechanism: PLAIN请注意,在上述配置中,Kafka 群集和每个群集的 sasl.jaas.config 值都不同。
Note that both the Kafka clusters, and the sasl.jaas.config values for each of them are different in the above configuration.
有关如何设置和运行此类应用的详细信息,请参阅此 sample application。
See this sample application for more details on how to setup and run such an application.