[
https://issues.apache.org/jira/browse/KAFKA-8552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16927246#comment-16927246
]
Liu commented on KAFKA-8552:
----------------------------
I have encountered some problems in launching Zookeeper sasl certification. I
wonder if you have any good Suggestions. When I launch the Zookeeper server,I
have configured
“-Djava.security.auth.login.config=/data/boge/kafka/config/zookeeper-jaas.conf”,The
contents of zookeeper-jaas.conf are as follows:
{code:java}
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_super="adminsecret"
user_zooclient="zooclientpwd";
};{code}
zookeeper.properties
{code:java}
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
{code}
kafka kafka-broker-jaas.conf
{code:java}
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="zooclient"
password="zooclientpwd";
};
{code}
kafka server.propertie
{code:java}
zookeeper.set.acl=true
{code}
In this way, I have implemented the connection of Zookeeper with
authentication.It also allows the brokers to set SASL ACL on zookeeper nodes
which locks these nodes down so that only the brokers can modify it.
!image.png!!image (1).png!
However, in some scenarios, my kafka may fail to be started. For example, if I
return from a version with Zookeeper sasl authentication to a version without
sasl authentication, the data loaded by Zookeeper is still encrypted. In this
case, kafka cannot connect to Zookeeper because of Client configuration, and
the startup fails.
I hope you can understand what I'm talking about and give me some suggestions.
thanks!
> Use SASL authentication in ConfigCommand for connection to zookeeper
> --------------------------------------------------------------------
>
> Key: KAFKA-8552
> URL: https://issues.apache.org/jira/browse/KAFKA-8552
> Project: Kafka
> Issue Type: Improvement
> Components: zkclient
> Affects Versions: 2.2.1
> Reporter: Tim Lansbergen
> Priority: Minor
> Attachments: image (1).png, image.png
>
>
> Currently we are using the kafka-configs script to create SCRAM users in
> zookeeper. I execute the following command on the machine:
> *./kafka-configs --zookeeper _ip-adres_:2181 --alter --add-config
> 'SCRAM-SHA-256=[password=password]' --entity-type users --entity-name user123*
> I would like to create users dynamically via a Java api. Since it is not
> possible to create SCRAM users via the KafkaAdminApi (please confirm?), I am
> now using the Kafka Scala class 'AdminZkClient' to create users the same as
> way as the ConfigCommand currently does. It looks like the AdminZkClient
> doesn't provide a way to authenticate against zookeeper using SASL. I'm
> currently connecting to zookeeper without authentication and this is a
> security issue. Is it possible to connect with the AdminZkClient with SASL
> authentication?
> I'm aware of issue KAFKA-5722 which is an improvement to use the AdminClient
> in the ConfigCommand class so this issue might be a duplicate but I would
> like to know if it is possible to authenticate using SASL with the
> AdminZkClient.
> Thanks!
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
