From 8030177a9de83e274ced1902b825e478df9355a6 Mon Sep 17 00:00:00 2001 From: Kai Moritz Date: Wed, 11 Oct 2023 18:40:55 +0200 Subject: [PATCH] DOCKER und LOCALHOST erfordern Authentifizierung --- README.sh | 3 +- docker/client.properties | 5 ++++ docker/docker-compose.yml | 60 +++++++++++++++++++++++++++++++++------ 3 files changed, 58 insertions(+), 10 deletions(-) create mode 100644 docker/client.properties diff --git a/README.sh b/README.sh index c4290b6..93b3a97 100755 --- a/README.sh +++ b/README.sh @@ -36,5 +36,4 @@ docker-compose -f docker/docker-compose.yml up --remove-orphans setup || exit 1 docker-compose -f docker/docker-compose.yml up -d producer consumer-1 consumer-2 docker-compose -f docker/docker-compose.yml up -d cruise-control -sleep 5 -docker-compose -f docker/docker-compose.yml logs cruise-control +kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=PLAIN -Xsasl.username=client -Xsasl.password=client-secret diff --git a/docker/client.properties b/docker/client.properties new file mode 100644 index 0000000..8a04387 --- /dev/null +++ b/docker/client.properties @@ -0,0 +1,5 @@ +sasl.mechanism=PLAIN +security.protocol=SASL_PLAINTEXT +sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ + username="client" \ + password="client-secret"; diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 87bf096..9ae4166 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -15,7 +15,7 @@ services: environment: KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_LISTENERS: BROKER://:9091, DOCKER://:9092, LOCALHOST://:9081 - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:PLAINTEXT, LOCALHOST:PLAINTEXT + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:SASL_PLAINTEXT, LOCALHOST:SASL_PLAINTEXT KAFKA_ADVERTISED_LISTENERS: BROKER://kafka-1:9091, DOCKER://kafka-1:9092, LOCALHOST://localhost:9081 KAFKA_BROKER_ID: 1 KAFKA_INTER_BROKER_LISTENER_NAME: BROKER @@ -24,7 +24,18 @@ services: KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter - KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9092 + KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_schemaregistry="schemaregistry-secret" \ + user_connect="connect-secret" \ + user_client="client-secret"; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_client="client-secret"; + KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-1-data:/var/lib/kafka/data ports: @@ -38,7 +49,7 @@ services: environment: KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_LISTENERS: BROKER://:9091, DOCKER://:9092, LOCALHOST://:9082 - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:PLAINTEXT, LOCALHOST:PLAINTEXT + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:SASL_PLAINTEXT, LOCALHOST:SASL_PLAINTEXT KAFKA_ADVERTISED_LISTENERS: BROKER://kafka-2:9091, DOCKER://kafka-2:9092, LOCALHOST://localhost:9082 KAFKA_BROKER_ID: 2 KAFKA_INTER_BROKER_LISTENER_NAME: BROKER @@ -47,7 +58,18 @@ services: KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter - KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9092 + KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_schemaregistry="schemaregistry-secret" \ + user_connect="connect-secret" \ + user_client="client-secret"; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_client="client-secret"; + KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-2-data:/var/lib/kafka/data ports: @@ -66,7 +88,7 @@ services: environment: KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_LISTENERS: BROKER://:9091, DOCKER://:9092, LOCALHOST://:9083 - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:PLAINTEXT, LOCALHOST:PLAINTEXT + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:SASL_PLAINTEXT, LOCALHOST:SASL_PLAINTEXT KAFKA_ADVERTISED_LISTENERS: BROKER://kafka-3:9091, DOCKER://kafka-3:9092, LOCALHOST://localhost:9083 KAFKA_BROKER_ID: 3 KAFKA_INTER_BROKER_LISTENER_NAME: BROKER @@ -75,7 +97,18 @@ services: KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter - KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9092 + KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_schemaregistry="schemaregistry-secret" \ + user_connect="connect-secret" \ + user_client="client-secret"; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_client="client-secret"; + KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-3-data:/var/lib/kafka/data ports: @@ -89,7 +122,7 @@ services: environment: KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_LISTENERS: BROKER://:9091, DOCKER://:9092, LOCALHOST://:9084 - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:PLAINTEXT, LOCALHOST:PLAINTEXT + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: BROKER:PLAINTEXT, DOCKER:SASL_PLAINTEXT, LOCALHOST:SASL_PLAINTEXT KAFKA_ADVERTISED_LISTENERS: BROKER://kafka-4:9091, DOCKER://kafka-4:9092, LOCALHOST://localhost:9084 KAFKA_BROKER_ID: 4 KAFKA_INTER_BROKER_LISTENER_NAME: BROKER @@ -98,7 +131,18 @@ services: KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter - KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9092 + KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_schemaregistry="schemaregistry-secret" \ + user_connect="connect-secret" \ + user_client="client-secret"; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN + KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.plain.PlainLoginModule required \ + user_client="client-secret"; + KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-4-data:/var/lib/kafka/data ports: -- 2.20.1