From: Kai Moritz Date: Sat, 14 Oct 2023 16:49:20 +0000 (+0200) Subject: Die Adressen DOCKER und LOCALHOST über ACLs abgesichert X-Git-Url: http://juplo.de/gitweb/?a=commitdiff_plain;h=dc10e7677f970e665600af5c5bcc57506aa48d19;p=demos%2Fkafka%2Ftraining Die Adressen DOCKER und LOCALHOST über ACLs abgesichert * Freifahrtschein für die Kommunikation über die BROKER-Adresse * Realisiert über das Hinzufügen des Principals `User:ANONYMOUS` zu den `super.users` des Clusters -- dies funktioniert, da nur die Aufrufe, die über die BROKER-Adresse abgewickelt werden diesem Benutzer zugeordnet werden, da nur diese Adresse im `PLAINTEXT`-Modus betrieben wird. * Für alle anderen Adressen hat der Principal einen abweichenden, über die _erfolgreiche Authorisierung_ vorgegebenen Principal. * Wenn über diese Adressen _ohne erfolgreiche Authorisierung_ zugegriffen wird, werden die Zugriffe abgewährt! --- diff --git a/README.sh b/README.sh index 6e72cf5..55a00c1 100755 --- a/README.sh +++ b/README.sh @@ -33,10 +33,43 @@ else fi docker-compose -f docker/docker-compose.yml up --remove-orphans setup || exit 1 -docker-compose -f docker/docker-compose.yml up -d producer consumer-1 consumer-2 -docker-compose -f docker/docker-compose.yml up -d cruise-control +kafkacat -L -b :9092 kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=PLAIN -Xsasl.username=client -Xsasl.password=client-secret +# Nicht nötig, da `super.users=User:ANONYMOUS` gesetzt wurde +# Ohne diesen Eintrag wären diverse ACLs nötig, bevor BROKER funktioniert! +# docker-compose exec cli kafka-acls --authorizer-properties zookeeper.connect=zookeeper zookeeper:2181 --add --allow-principal User:ANONYMOUS --operation ALL --topic __CruiseControlMetrics --group=* + +# schema-registry +docker-compose -f docker/docker-compose.yml exec cli kafka-acls \ + --authorizer-properties zookeeper.connect=zookeeper \ + --add \ + --allow-principal User:schemaregistry \ + --topic _schemas \ + --consumer --group=schema-registry \ + --producer +docker-compose -f docker/docker-compose.yml exec cli kafka-acls \ + --authorizer-properties zookeeper.connect=zookeeper \ + --add \ + --allow-principal User:schemaregistry \ + --topic _schemas \ + --operation=DescribeConfigs + +docker-compose -f docker/docker-compose.yml up -d schema-registry +while [[ ! $(http :8085/subjects 2> /dev/null) ]]; do echo Waiting for schema-registry; sleep 1; done cat user-v1.schema|http POST http://localhost:8085/subjects/user/versions "Content-Type:application/vnd.schemaregistry.v1+json" http GET http://0:8085/subjects/user/versions/1/schema + +# kafka-connect +docker-compose -f docker/docker-compose.yml exec cli kafka-acls \ + --authorizer-properties zookeeper.connect=zookeeper \ + --add \ + --allow-principal User:connect \ + --topic __connect \ + --resource-pattern-type prefixed \ + --consumer --group=kafka-connect \ + --producer + +docker-compose -f docker/docker-compose.yml up -d connect +while [[ ! $(http :8083/connectors 2> /dev/null) ]]; do echo Waiting for connect; sleep 1; done diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index e5082a8..c269dae 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -22,7 +22,9 @@ services: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3 KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false" KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer - KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" + KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false" + KAFKA_SUPER_USERS: User:ANONYMOUS + KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN @@ -57,7 +59,9 @@ services: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3 KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false" KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer - KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" + KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false" + KAFKA_SUPER_USERS: User:ANONYMOUS + KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN @@ -97,7 +101,9 @@ services: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3 KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false" KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer - KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" + KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false" + KAFKA_SUPER_USERS: User:ANONYMOUS + KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN @@ -132,7 +138,9 @@ services: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3 KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false" KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer - KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" + KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false" + KAFKA_SUPER_USERS: User:ANONYMOUS + KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN