How to run kafka in SASL_SSL with OAUTHBEARER mechanism

2024-06-27 10:56:46 浏览数 (2)

It is not secure to run with OAUTHBEARER mechanism in SASL_PLAINTEXT, we need the SSL to encrypt the data transportation.

For SSL settings, please refer to How to run kafka in SASL_SSL Mode

Suppose that we have all the keystore, truststore, certificate, private-key ready.

  1. Modify the server.properties file as below
代码语言:txt复制
listeners=SASL_SSL://localhost:9093
advertised.listeners= SASL_SSL://localhost:9093
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=OAUTHBEARER
sasl.enabled.mechanisms=OAUTHBEARER

# Specify the JAAS login context name for SASL/OAUTHBEARER
listener.name.sasl_ssl.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub="alice";

# ssl configurations
ssl.keystore.location=/path_to/kafka.keystore
ssl.keystore.type=pkcs12
ssl.keystore.password=yourpass
ssl.key.password=yourpass
ssl.truststore.location=/path_to/kafka.truststore
ssl.truststore.type=pkcs12
ssl.truststore.password=yourpass
# ssl.client.auth is probably not needed in SASL mode
# ssl.client.auth=required
  1. Then start the zookeeper and kafka-server in different consoles, now the kafka server is setup correctly and running
代码语言:txt复制
// .bat script
zookeeper-server-start.bat .configzookeeper.properties
kafka-server-start.bat .configserver.properties
// .sh script
./bin/zookeeper-server-start.sh ./config/zookeeper.properties
./bin/kafka-server-start.sh ./config/server.properties
  1. Next we need to modify the consumer.properties/producer.properties to allow connecting to port 9093 with protocol SASL_SSL, you can aslo copy the following content to a file 'client.properties' for kafka-topics.bat to use.
代码语言:txt复制
bootstrap.servers=localhost:9093
security.protocol=SASL_SSL
sasl.mechanism=OAUTHBEARER
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub="alice";

#ssl configurations
ssl.truststore.location=/path_to/kafka.truststore
ssl.truststore.type=pkcs12
ssl.truststore.password=yourpass
#the following keystore setting are probably not needed
#ssl.keystore.location=/path_to/kafka.keystore
#ssl.keystore.type=pkcs12
#ssl.keystore.password=yourpass
  1. Create and List topic with port 9093 in SASL_SSL mode
代码语言:txt复制
// .bat script
kafka-topics.bat --create --topic gaming-events --bootstrap-server localhost:9093 --command-config ./config/client.properties
kafka-topics.bat --list --bootstrap-server localhost:9093 --command-config ./config/client.properties
// .sh script
./bin/kafka-topics.sh --create --topic gaming-events --bootstrap-server localhost:9093 --command-config ./config/client.properties
./bin/kafka-topics.sh --list --bootstrap-server localhost:9093 --command-config ./config/client.properties
  1. Run Consumer with port 9093 in SASL_SSL mode
代码语言:txt复制
// .bat script
kafka-console-consumer.bat --topic gaming-events --from-beginning --bootstrap-server localhost:9093 --consumer.config ./config/consumer.properties
// .sh script
./bin/kafka-console-consumer.sh --topic gaming-events --from-beginning --bootstrap-server localhost:9093 --consumer.config ./config/consumer.properties
  1. Run Producer with port 9093 in SASL_SSL mode
代码语言:txt复制
// .bat script
kafka-console-producer.bat --topic gaming-events --bootstrap-server localhost:9093 --producer.config ./config/producer.properties
// .sh script
./bin/kafka-console-producer.sh --topic gaming-events --bootstrap-server localhost:9093 --producer.config ./config/producer.properties

Now you are good to communicate between producer and consumer on secured port 9093 in SAL_SSL mode using oauthbearer token to authenticate.

0 人点赞