问题描述
限时送ChatGPT账号..Kafka 可以配置为使用多种身份验证机制:纯文本用户名/密码、Kerberos 或 SSL.前 2 个使用 SASL,其中需要一个 JAAS 配置文件.
Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.
对于纯文本身份验证方法,配置看起来像(取自 文档):
For the plain text auth method, the config looks like (taken from the documentation):
KafkaServer {
org.apache.kafkamon.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
如果可能,我想使用 LDAP 进行身份验证.我的问题是:如果我用一个实现 PlainLoginModule/spi/LoginModule.html" rel="nofollow noreferrer">LoginModule 并将这个类放在代理的类路径中,我可以以我希望的任何方式(即 LDAP)实现身份验证吗?
I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule
with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?
我无法以合理的方式使用 Kerberos,因为它的主体在我工作的组织内定义的方式,因此我希望使用 LDAP,因为我需要支持 RBAC.
I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.
推荐答案
是的,您可以为 Kafka 提供一个自定义类,该类实现了 LoginModule
并在其中包含您想要的身份验证逻辑.
Yes you can provide Kafka with a custom class that implements LoginModule
and have the authentication logic you want in it.
然后使用您的类名更新 JAAS 文件并确保它在类路径中.
Then update the JAAS file with your class name and make sure it's in the classpath.
您需要添加一些样板代码才能正确设置所有内容,但您可以使用 PlainLoginModule
、PlainSaslServerProvider
、PlainSaslServerFactory
和 >PlainSaslServer
为例.
You'll need to put some boilerplate code to get everything setup correctly but you can use PlainLoginModule
, PlainSaslServerProvider
, PlainSaslServerFactory
and PlainSaslServer
as examples.
您的 LoginModule
类应该与 PlainLoginModule
具有相同的逻辑,但要初始化您的 Provider
实现(在静态块中).
Your LoginModule
class should have the same logic as PlainLoginModule
but instead initialize your Provider
implementation (in the static block).
您的 Provider
类应该与 PlainSaslServerProvider
具有相同的逻辑,但要引用您的 SaslServerFactory
实现.
Your Provider
class should have the same logic as PlainSaslServerProvider
but instead reference your SaslServerFactory
implementation.
您的 SaslFactory
类应该再次具有与 PlainSaslServerFactory
相同的逻辑,但创建您的 SaslServer
实现的实例.
Your SaslFactory
class should again have the same logic as PlainSaslServerFactory
but create an instance of your SaslServer
implementation.
最后,您的 SaslServer
类应该在其 evaluateResponse()
方法中实现必要的 LDAP 逻辑.只要确保设置正确设置 this.authorizationId
因为这将成为用户主体并将 complete
设置为 true
(如 PlainSaslServer.evaluateResponse()
确实)
Finally your SaslServer
class should implement the necessary LDAP logic in its evaluateResponse()
method. Just be sure to set correctly set this.authorizationId
as this will become the user principal and set complete
to true
(like PlainSaslServer.evaluateResponse()
does)
这篇关于Kafka 是否可以提供自定义 LoginModule 来支持 LDAP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
更多推荐
[db:关键词]
发布评论