本文主要介绍下 kafka 0.10.0 版如何实现sasl/plain认证机制及权限控制
kakfa 的安全机制主要分为两部分:
- 身份认证(Authentication): 对客户端的身份进行认证
- 权限控制(Authorization): 对topic级别的权限进行控制
kafka 目前支持 SSL,SASL(Kerberos),SASL(PLAIN) 三种认证机制。
-- Create ksqlDB stream from Kafka topic. | |
CREATE STREAM myStream (username VARCHAR, location VARCHAR) | |
WITH (KAFKA_TOPIC='input-topic', VALUE_FORMAT='...'); |
-- Create ksqlDB table from Kafka topic. | |
CREATE TABLE myTable (username VARCHAR, location VARCHAR) | |
WITH (KAFKA_TOPIC='input-topic', KEY='username', VALUE_FORMAT='...'); |
-- Continuously aggregating a stream into a table with a ksqlDB push query. | |
CREATE STREAM locationUpdatesStream ...; | |
CREATE TABLE locationsPerUser AS | |
SELECT username, COUNT(*) | |
FROM locationUpdatesStream | |
GROUP BY username | |
EMIT CHANGES; |
```go | |
package main | |
import ( | |
"bufio" | |
"bytes" | |
"encoding/binary" | |
"fmt" | |
"io" | |
) |
package main | |
import ( | |
"bufio" | |
"bytes" | |
"fmt" | |
"io" | |
"log" | |
"net" | |
"os" |
# Image neeeds to have ssh-client | |
image: docker:git | |
services: | |
- docker:dind | |
stages: | |
- staging | |
before_script: | |
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY |
PLAY [all] ************************************************************************************* | |
TASK [set_fact] ******************************************************************************** | |
Thursday 14 March 2019 07:04:49 +0000 (0:00:00.240) 0:00:00.240 ******** | |
ok: [ip-172-16-0-157.cn-northwest-1.compute.internal] | |
ok: [ip-172-16-0-231.cn-northwest-1.compute.internal] | |
ok: [ip-172-16-0-32.cn-northwest-1.compute.internal] | |
TASK [Storing commands output] ***************************************************************** | |
Thursday 14 March 2019 07:04:49 +0000 (0:00:00.388) 0:00:00.628 ******** |
TASK [kubernetes/master : Backup old certs and keys] ******************************************* | |
task path: /home/centos/kubespray/roles/kubernetes/master/tasks/kubeadm-certificate.yml:2 | |
Thursday 14 March 2019 06:05:10 +0000 (0:00:01.655) 0:06:23.774 ******** | |
TASK [kubernetes/master : Remove old certs and keys] ******************************************* | |
task path: /home/centos/kubespray/roles/kubernetes/master/tasks/kubeadm-certificate.yml:16 | |
Thursday 14 March 2019 06:05:10 +0000 (0:00:00.245) 0:06:24.019 ******** | |
TASK [kubernetes/master : Generate new certs and keys] ***************************************** | |
task path: /home/centos/kubespray/roles/kubernetes/master/tasks/kubeadm-certificate.yml:28 |
npm set registry https://registry.npm.taobao.org # 注册模块镜像 | |
npm set disturl https://npm.taobao.org/dist # node-gyp 编译依赖的 node 源码镜像 | |
## 以下选择添加 | |
npm set chromedriver_cdnurl http://cdn.npm.taobao.org/dist/chromedriver # chromedriver 二进制包镜像 | |
npm set operadriver_cdnurl http://cdn.npm.taobao.org/dist/operadriver # operadriver 二进制包镜像 | |
npm set phantomjs_cdnurl http://cdn.npm.taobao.org/dist/phantomjs # phantomjs 二进制包镜像 | |
npm set sass_binary_site http://cdn.npm.taobao.org/dist/node-sass # node-sass 二进制包镜像 | |
npm set electron_mirror http://cdn.npm.taobao.org/dist/electron/ # electron 二进制包镜像 | |
npm set selenium_cdnurl=http://npm.taobao.org/mirrors/selenium |