didi / KnowStreaming

一站式云原生实时流数据平台,通过0侵入、插件化构建企业级Kafka服务,极大降低操作、存储和管理实时流数据门槛
https://knowstreaming.com
GNU Affero General Public License v3.0
6.99k stars 1.28k forks source link

ACLs新增权限报错:org.apache.kafka.common.errors.SecurityDisabledException:No Authorizer is configured #1092

Closed JieJieNiDeAi closed 1 year ago

JieJieNiDeAi commented 1 year ago

在这里提出你的问题

kafka 版本3.4.1,部署方式zookeeper,鉴权SASL-SCRAM knowsteaming 版本3.3.0 问题描述:ACLs新增权限报错:org.apache.kafka.common.errors.SecurityDisabledException:No Authorizer is configured 是不是新版本存在bug

ZQKC commented 1 year ago
  • [ ] 我已经在 issues 搜索过相关问题了,并没有重复的。

在这里提出你的问题

kafka 版本3.4.1,部署方式zookeeper,鉴权SASL-SCRAM knowsteaming 版本3.3.0 问题描述:ACLs新增权限报错:org.apache.kafka.common.errors.SecurityDisabledException:No Authorizer is configured 是不是新版本存在bug

KS接入集群时,集群配置那块填写的内容是?

JieJieNiDeAi commented 1 year ago
  • [ ] 我已经在 issues 搜索过相关问题了,并没有重复的。

在这里提出你的问题

kafka 版本3.4.1,部署方式zookeeper,鉴权SASL-SCRAM knowsteaming 版本3.3.0 问题描述:ACLs新增权限报错:org.apache.kafka.common.errors.SecurityDisabledException:No Authorizer is configured 是不是新版本存在bug

KS接入集群时,集群配置那块填写的内容是?

{ "security.protocol":"SASL_PLAINTEXT", "sasl.mechanism":"SCRAM-SHA-256", "sasl.jaas.config":"org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password="producerpwd";" }

ZQKC commented 1 year ago

https://github.com/didi/KnowStreaming/issues/1091 1、和这个issue是同一个集群么? 2、这个集群可以正常生产消费么? 3、正常生产消费时,使用的配置是?

JieJieNiDeAi commented 1 year ago

1091 1、和这个issue是同一个集群么? 2、这个集群可以正常生产消费么? 3、正常生产消费时,使用的配置是?

1、可以理解成两个集群,因为是重新部署的; 2、集群可以正常发送和消费消息; 3、正常消费的配置如下: spring: kafka: bootstrap-servers: 192.168.123.43:9092,192.168.123.44:9092,192.168.123.45:9092 listener: missing-topics-fatal: false properties: sasl: mechanism: SCRAM-SHA-256 jaas: config: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="5gjly" password="jly@123";' security: protocol: SASL_PLAINTEXT

ZQKC commented 1 year ago

1091 1、和这个issue是同一个集群么? 2、这个集群可以正常生产消费么? 3、正常生产消费时,使用的配置是?

1、可以理解成两个集群,因为是重新部署的; 2、集群可以正常发送和消费消息; 3、正常消费的配置如下: spring: kafka: bootstrap-servers: 192.168.123.43:9092,192.168.123.44:9092,192.168.123.45:9092 listener: missing-topics-fatal: false properties: sasl: mechanism: SCRAM-SHA-256 jaas: config: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="5gjly" password="jly@123";' security: protocol: SASL_PLAINTEXT

SecurityDisabledException:No Authorizer is configured 这个是服务端的报错,看服务端是不是没有配置认证类。

JieJieNiDeAi commented 1 year ago

1091 1、和这个issue是同一个集群么? 2、这个集群可以正常生产消费么? 3、正常生产消费时,使用的配置是?

1、可以理解成两个集群,因为是重新部署的; 2、集群可以正常发送和消费消息; 3、正常消费的配置如下: spring: kafka: bootstrap-servers: 192.168.123.43:9092,192.168.123.44:9092,192.168.123.45:9092 listener: missing-topics-fatal: false properties: sasl: mechanism: SCRAM-SHA-256 jaas: config: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="5gjly" password="jly@123";' security: protocol: SASL_PLAINTEXT

SecurityDisabledException:No Authorizer is configured 这个是服务端的报错,看服务端是不是没有配置认证类。

在kafka启动脚本中加上了配置认证类,还是一样的报错。是不支持raft模式部署下使用ScramLoginModule模式认证吗?看文档上也没有raft模式部署的描述

ZQKC commented 1 year ago

1091 1、和这个issue是同一个集群么? 2、这个集群可以正常生产消费么? 3、正常生产消费时,使用的配置是?

1、可以理解成两个集群,因为是重新部署的; 2、集群可以正常发送和消费消息; 3、正常消费的配置如下: spring: kafka: bootstrap-servers: 192.168.123.43:9092,192.168.123.44:9092,192.168.123.45:9092 listener: missing-topics-fatal: false properties: sasl: mechanism: SCRAM-SHA-256 jaas: config: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="5gjly" password="jly@123";' security: protocol: SASL_PLAINTEXT

SecurityDisabledException:No Authorizer is configured 这个是服务端的报错,看服务端是不是没有配置认证类。

在kafka启动脚本中加上了配置认证类,还是一样的报错。是不支持raft模式部署下使用ScramLoginModule模式认证吗?看文档上也没有raft模式部署的描述

搜了一下KRaft+Scram的文章,简单验证了一下(没有去测试集群模式,以及动态增减用户,ACL等)是可以的。老哥有兴趣可以再验证一下。

测试搭建环境信息:

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

#
# This configuration file is intended for use in KRaft mode, where
# Apache ZooKeeper is not present.  See config/kraft/README.md for details.
#

############################# Server Basics #############################

# The role of this server. Setting this puts us in KRaft mode
process.roles=broker,controller

# The node id associated with this instance's roles
node.id=1

# The connect string for the controller quorum
controller.quorum.voters=1@127.0.0.1:9093

############################# Socket Server Settings #############################

# The address the socket server listens on.
# Combined nodes (i.e. those with `process.roles=broker,controller`) must list the controller listener here at a minimum.
# If the broker listener is not defined, the default listener will use a host name that is equal to the value of java.net.InetAddress.getCanonicalHostName(),
# with PLAINTEXT listener name, and port 9092.
#   FORMAT:
#     listeners = listener_name://host_name:port
#   EXAMPLE:
#     listeners = PLAINTEXT://your.host.name:9092
listeners=BROKER://127.0.0.1:9092,CONTROLLER://127.0.0.1:9093

# Listener name, hostname and port the broker will advertise to clients.
# If not set, it uses the value for "listeners".
advertised.listeners=BROKER://127.0.0.1:9092

# A comma-separated list of the names of the listeners used by the controller.
# If no explicit mapping set in `listener.security.protocol.map`, default will be using PLAINTEXT protocol
# This is required if running in KRaft mode.
controller.listener.names=CONTROLLER

# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXT,BROKER:SASL_PLAINTEXT

# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=3

# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=8

# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400

# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400

# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600

############################# Log Basics #############################

# A comma separated list of directories under which to store log files
log.dirs=/Users/zqkc/Downloads/app/data/kafka_341_logs

# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=1

# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1

############################# Internal Topic Settings  #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1

############################# Log Flush Policy #############################

# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
#    1. Durability: Unflushed data may be lost if you are not using replication.
#    2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
#    3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.

# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000

# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000

############################# Log Retention Policy #############################

# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.

# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168

# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824

# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824

# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000

# security.inter.broker.protocol=SASL_PLAINTEXT
# sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
# sasl.enabled.mechanisms=SCRAM-SHA-256

allow.everyone.if.no.acl.found=false
super.users=User:admin
authorizer.class.name=org.apache.kafka.metadata.authorizer.StandardAuthorizer

# Name of listener used for communication between brokers.
inter.broker.listener.name=BROKER

sasl.enabled.mechanisms=SCRAM-SHA-256

sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
listener.name.broker.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="1234567890";

sasl.mechanism.controller.protocol=SCRAM-SHA-256 
listener.name.controller.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="1234567890";
ZQKC commented 1 year ago

无更多反馈,关闭该Issue