使用 Jaas 配置的 Kafka 身份验证
Kafka authentication with Jaas config
我已经在我的 spring 启动应用程序中将我的 Kafka jaas 配置设置为外部 bean,以从我的 application.yaml 文件中读取我的配置。
但是我在从我的 yaml 文件中读取我的 jaas keytab 文件时遇到错误。
遇到错误
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:918) ~[jdk.security.auth:na]
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:738) ~[jdk.security.auth:na]
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) ~[jdk.security.auth:na]
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.run(LoginContext.java:665) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.run(LoginContext.java:663) ~[na:na]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:691) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) ~[na:na]
at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.kerberos.KerberosLogin.login(KerberosLogin.java:103) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.authenticator.LoginManager.<init>(LoginManager.java:62) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:112) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:158) ~[kafka-clients-2.5.1.jar:na]
这就是我配置 jaas 的方式
KafkaJaasConfigurationProperty.java
@Component
@ConfigurationProperties(prefix = "kafka.jaas")
@Getter
@Setter
public class KafkaJaasConfigurationProperties {
private Map<String, String> options;
}
application.yml
kafka:
jaas:
options:
useKeyTab: true
keytab: keytab-value
storeKey: true
debug: true
serviceName: kafka
principal: pricipal-value
KafkaJaasConfigurationBean.java
@Bean
public KafkaJaasLoginModuleInitializer jaasConfig(
KafkaJaasConfigurationProperties kafkaJaasConfigurationProperties
) throws IOException {
var jaasConfig = new KafkaJaasLoginModuleInitializer();
jaasConfig.setControlFlag(KafkaJaasLoginModuleInitializer.ControlFlag.REQUIRED);
jaasConfig.setOptions(kafkaJaasConfigurationProperties.getOptions());
return jaasConfig;
}
如有任何帮助,我们将不胜感激。谢谢!
查看错误,您提供的 jass 配置中的密钥表文件似乎没有被 KafkaJaasLoginModuleInitializer 获取。
我可以看到你的 jass 配置中有一个拼写错误,即 "keytab" property value will be "keyTab"
kafka:
jaas:
options:
useKeyTab: true
keyTab: keytab-value #Try changing this
storeKey: true
debug: true
serviceName: kafka
principal: pricipal-value
我认为这应该可行,它应该能够获取 keytab 文件。
SPRING 卡夫卡示例
但是如果您使用的是 spring kafka,您也可以直接提供 jaas 配置,而无需为 KafkaJaasLoginModuleInitializer 创建自己的 bean。
Spring 卡夫卡例子
application.yaml
spring:
kafka:
jaas:
control-flag: required
enabled: true
login-module: com.sun.security.auth.module.Krb5LoginModule
options:
useKeyTab: true
keyTab: keytab-value
storeKey: true
debug: true
serviceName: kafka
principal: pricipal-value
希望这对您有所帮助!!
我已经在我的 spring 启动应用程序中将我的 Kafka jaas 配置设置为外部 bean,以从我的 application.yaml 文件中读取我的配置。
但是我在从我的 yaml 文件中读取我的 jaas keytab 文件时遇到错误。
遇到错误
Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner authentication information from the user
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:918) ~[jdk.security.auth:na]
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:738) ~[jdk.security.auth:na]
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) ~[jdk.security.auth:na]
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.run(LoginContext.java:665) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.run(LoginContext.java:663) ~[na:na]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:691) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) ~[na:na]
at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.kerberos.KerberosLogin.login(KerberosLogin.java:103) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.authenticator.LoginManager.<init>(LoginManager.java:62) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:112) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:158) ~[kafka-clients-2.5.1.jar:na]
这就是我配置 jaas 的方式
KafkaJaasConfigurationProperty.java
@Component
@ConfigurationProperties(prefix = "kafka.jaas")
@Getter
@Setter
public class KafkaJaasConfigurationProperties {
private Map<String, String> options;
}
application.yml
kafka:
jaas:
options:
useKeyTab: true
keytab: keytab-value
storeKey: true
debug: true
serviceName: kafka
principal: pricipal-value
KafkaJaasConfigurationBean.java
@Bean
public KafkaJaasLoginModuleInitializer jaasConfig(
KafkaJaasConfigurationProperties kafkaJaasConfigurationProperties
) throws IOException {
var jaasConfig = new KafkaJaasLoginModuleInitializer();
jaasConfig.setControlFlag(KafkaJaasLoginModuleInitializer.ControlFlag.REQUIRED);
jaasConfig.setOptions(kafkaJaasConfigurationProperties.getOptions());
return jaasConfig;
}
如有任何帮助,我们将不胜感激。谢谢!
查看错误,您提供的 jass 配置中的密钥表文件似乎没有被 KafkaJaasLoginModuleInitializer 获取。
我可以看到你的 jass 配置中有一个拼写错误,即 "keytab" property value will be "keyTab"
kafka:
jaas:
options:
useKeyTab: true
keyTab: keytab-value #Try changing this
storeKey: true
debug: true
serviceName: kafka
principal: pricipal-value
我认为这应该可行,它应该能够获取 keytab 文件。
SPRING 卡夫卡示例
但是如果您使用的是 spring kafka,您也可以直接提供 jaas 配置,而无需为 KafkaJaasLoginModuleInitializer 创建自己的 bean。
Spring 卡夫卡例子 application.yaml
spring:
kafka:
jaas:
control-flag: required
enabled: true
login-module: com.sun.security.auth.module.Krb5LoginModule
options:
useKeyTab: true
keyTab: keytab-value
storeKey: true
debug: true
serviceName: kafka
principal: pricipal-value
希望这对您有所帮助!!