SASL/SCRAM认证方式的连接

使用用户名/密码连接到MSK

在当前目录下创建一个client.testuser1文件,内容如下(根据上一节在secret manager设置的用户名/密码做替换):

security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
  username=mskuser \
  password=mskpass;

访问集群:

export KAFKA=b-6.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096,b-5.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096,b-1.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096  # 根据实际的broker连接方式做替换

kafka-topics --bootstrap-server $KAFKA --list --command-config client.testuser1

成功访问到topic列表:

image-20220109170242637

更新client.testuser1文件,使用错误的用户名+密码,重新进行访问,会提示invalid credentials

image-20220109162109389

接下来测试使用SASL/SCRAM方式生产/消费数据,执行以下命令打开producer端:

kafka-console-producer --broker-list $KAFKA --topic topic1 --producer.config client.testuser1

打开新的terminal,用于consumer接收数据:

export KAFKA=b-6.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096,b-5.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096,b-1.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096  # 根据实际的broker连接方式做替换

kafka-console-consumer --bootstrap-server $KAFKA --topic topic1 --from-beginning --consumer.config client.testuser1

在producer端发送一些数据,consumer端可以成功接收到:

image-20220109170559812

image-20220109170548358

附:AKHQ的配置

在第一章我们配置AKHQ时使用的plaintext进行连接,此时再打开AKHQ的页面肯定是不能正常工作的。我们需要更新它的配置

建议将原来的docker-compose.yaml先备份,再对原来的文件做更改:
cp docker-compose.yaml docker-compose.yaml.bak

将原来docker-compose.yaml第11行左右开始, 更新为:

services:
  akhq:
    # build:
    #   context: .
    image: tchiotludo/akhq
    environment:
      AKHQ_CONFIGURATION: |
        akhq:
          connections:
            docker-kafka-server:
              properties:
                bootstrap.servers: "b-6.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096,b-5.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096,b-1.mskdemo.mxqzz7.c4.kafka.ap-southeast-1.amazonaws.com:9096"
                security.protocol: SASL_SSL
                sasl.mechanism: SCRAM-SHA-512
                sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="mskuser" password="mskpass";
    ports:
      - 8080:8080

说明:

  • bootstrap.servers参数和sasl.jaas.config根据实际的值进行替换

运行docker-compose对容器进行更新:

 docker-compose up --force-recreate --build -d

image-20220109181716254

访问AKHQ的UI,能成功获取到集群的topic信息并执行更改操作:

image-20220109182131375

配置参考: https://github.com/tchiotludo/akhq/blob/dev/application.example.yml