使用 Jaas 配置进行 Kafka 身份验证

Question

我已在我的 Spring Boot 应用程序中将我的 Kafka jaas 配置设置为外部 bean，以从我的 application.yaml 文件中读取我的配置。

但我在从 yaml 文件中读取 jaas keytab 文件时遇到错误。

面临错误

Caused by: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:918) ~[jdk.security.auth:na]
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:738) ~[jdk.security.auth:na]
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) ~[jdk.security.auth:na]
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) ~[na:na]
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) ~[na:na]
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) ~[na:na]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:691) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) ~[na:na]
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) ~[na:na]
at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.kerberos.KerberosLogin.login(KerberosLogin.java:103) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.authenticator.LoginManager.<init>(LoginManager.java:62) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:112) ~[kafka-clients-2.5.1.jar:na]
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:158) ~[kafka-clients-2.5.1.jar:na]

这就是我配置我的 jaas 的方式

KafkaJaasConfigurationProperty.java

@Component
@ConfigurationProperties(prefix = "kafka.jaas")
@Getter
@Setter
public class KafkaJaasConfigurationProperties {
  private Map<String, String> options;
}

application.yml

kafka:
 jaas:
  options:
   useKeyTab: true
   keytab: keytab-value
   storeKey: true
   debug: true
   serviceName: kafka
   principal: pricipal-value

KafkaJaasConfigurationBean.java

@Bean
public KafkaJaasLoginModuleInitializer jaasConfig(
    KafkaJaasConfigurationProperties kafkaJaasConfigurationProperties
) throws IOException {
    var jaasConfig = new KafkaJaasLoginModuleInitializer();
    jaasConfig.setControlFlag(KafkaJaasLoginModuleInitializer.ControlFlag.REQUIRED);
    jaasConfig.setOptions(kafkaJaasConfigurationProperties.getOptions());
    return jaasConfig;
}

任何帮助将不胜感激。谢谢！

Answer 1

查看错误，您提供的 jass 配置中的 keytab 文件似乎没有被 KafkaJaasLoginModuleInitializer 拾取。

我可以看到您的 jass 配置中有错字，即"keytab" property value will be "keyTab"

kafka:
 jaas:
  options:
   useKeyTab: true
   keyTab: keytab-value #Try changing this
   storeKey: true
   debug: true
   serviceName: kafka
   principal: pricipal-value

我认为这应该可行，并且应该能够获取 keytab 文件。

春季卡夫卡示例

但是如果您使用的是 spring kafka，您也可以直接提供 jaas 配置，而无需为 KafkaJaasLoginModuleInitializer 创建自己的 bean。

Spring 卡夫卡示例 应用程序.yaml

spring:
  kafka:
    jaas:
      control-flag: required
      enabled: true
      login-module: com.sun.security.auth.module.Krb5LoginModule
      options:
        useKeyTab: true
        keyTab: keytab-value
        storeKey: true
        debug: true
        serviceName: kafka
        principal: pricipal-value

希望对你有帮助！！