Apache kafka 让安全的Kafka和Schema registry相互对话，并为其配置spring引导_Apache Kafka_Spring Kafka_Confluent Schema Registry_Confluent Platform

Apache kafka 让安全的Kafka和Schema registry相互对话，并为其配置spring引导

apache-kafka

Apache kafka 让安全的Kafka和Schema registry相互对话，并为其配置spring引导,apache-kafka,spring-kafka,confluent-schema-registry,confluent-platform,Apache Kafka,Spring Kafka,Confluent Schema Registry,Confluent Platform,嘿，我已经试着解决这个问题两周了。基本上，我希望kafka在SSL上，模式注册表在HTTPS上。没有要使用的kerberos。我有两个spring服务，一个是制作人，另一个是消费者（avro）这是我当前的docker compose，当我向制作人发送请求时，它不会在应用程序中抛出任何错误，请求超时，但Kafka日志显示Kafka|u 1 |[2019-12-03 09:53:27454]INFO[SocketServer brokerId=1]与/172.18.0.1的身份验证失败（SSL

嘿，我已经试着解决这个问题两周了。基本上，我希望kafka在SSL上，模式注册表在HTTPS上。没有要使用的kerberos。我有两个spring服务，一个是制作人，另一个是消费者（avro）

这是我当前的docker compose，当我向制作人发送请求时，它不会在应用程序中抛出任何错误，请求超时，但Kafka日志显示

Kafka|u 1 |[2019-12-03 09:53:27454]INFO[SocketServer brokerId=1]与/172.18.0.1的身份验证失败（SSL握手失败）（org.apache.kafka.common.network.Selector）

当我取消对docker compose中的行的注释时，我得到

PKIX路径构建失败

，以及一些其他错误，指定Avro无法序列化或类似的内容

  zookeeper:
    image: confluentinc/cp-zookeeper:5.3.0
    ports:
      - 2181:2181
    environment:
      ZOOKEEPER_CLIENT_PORT: "2181"
      ZOOKEEPER_TICK_TIME: "2000"

  kafka:
    image: confluentinc/cp-kafka:5.3.0
    ports:
      - 29094:29094

    environment:
      KAFKA_BROKER_ID: 1
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,SSL:SSL
      KAFKA_SECURITY_PROTOCOL: SSL
      KAFKA_INTER_BROKER_PROTOCOL: SSL
      KAFKA_INTER_BROKER_LISTENER_NAME: SSL
      KAFKA_LISTENERS: SSL://kafka:29094,PLAINTEXT://kafka:9092
      KAFKA_ADVERTISED_LISTENERS: SSL://kafka:29094,PLAINTEXT://kafka:9092
      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
      KAFKA_AUTO_CREATE_TOPICS_ENABLE: "true"
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
#      KAFKA_SSL_CLIENT_AUTH: required
      KAFKA_SSL_KEYSTORE_FILENAME: kafka.server.keystore.jks
      KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.server.truststore.jks
      KAFKA_SSL_KEY_CREDENTIALS: key_credential
      KAFKA_SSL_KEYSTORE_CREDENTIALS: key_credential
      KAFKA_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.server.keystore.jks
      KAFKA_SSL_KEYSTORE_PASSWORD: PASSWORD
      KAFKA_SSL_KEY_PASSWORD: PASSWORD
      KAFKA_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.server.truststore.jks
      KAFKA_SSL_TRUSTSTORE_PASSWORD: PASSWORD
      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: key_credential
      KAFKA_HEAP_OPTS: -Xmx456M
      KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
      #            KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.auth.SimpleAclAuthorizer
      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true"
      KAFKA_SUPER_USERS: User:CN=Kafka-domain

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/xubu/Documents:/etc/kafka/secrets


  schema-registry:
    image: confluentinc/cp-schema-registry:5.3.0
    depends_on:
      - zookeeper
      - kafka
    ports:
      - 8181:8181
      - 8085:8085
      - 8086:8086
    environment:
      SCHEMA_REGISTRY_HOST_NAME: schema-registry
      SCHEMA_REGISTRY_LISTENERS: http://schema-registry:8085, https://schema-registry:8086

      SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper:2181
      SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SSL
      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: SSL://kafka:29094
      SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/client/kafka.client.truststore.jks
      SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: PASSWORD
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/kafka/client/kafka.client.keystore.jks
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_PASSWORD: PASSWORD
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEY_PASSWORD: PASSWORD
      SCHEMA_REGISTRY_KAFKASTORE_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""

      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/kafka/client/kafka.client.truststore.jks
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: PASSWORD
      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /etc/kafka/client/kafka.client.keystore.jks
      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: PASSWORD
      SCHEMA_REGISTRY_SSL_KEY_PASSWORD: PASSWORD
      SCHEMA_REGISTRY_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
      SCHEMA_REGISTRY_SECURITY_PROTOCOL: SSL
      SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: "https"

      #SCHEMA_REGISTRY_SSL_CLIENT_AUTH: 'true'



    volumes:
      - /home/xubu/Documents:/etc/kafka/client
      - /home/xubu/Documents:/etc/kafka/consumer

下面是我的spring boot application.yaml的一部分

spring:
kafka:
    bootstrap-servers: kafka:29094
    producer:
      key-serializer: org.apache.kafka.common.serialization.StringSerializer
      value-serializer: io.confluent.kafka.serializers.KafkaAvroSerializer

      ssl:
        key-store-location: /home/xubu/Documents/kafka.client.keystore.jks
        key-password: PASSWORD
        key-store-password: PASSWORD
        trust-store-location: /home/xubu/Documents/kafka.client.truststore.jks
        trust-store-password: PASSWORD
        protocol: SSL


    properties:
      value:
        subject:
          name:
            strategy: io.confluent.kafka.serializers.subject.RecordNameStrategy
      value-serializer: io.confluent.kafka.serializers.KafkaAvroSerializer
      ssl.endpoint.identification.algorithm: https
      schema.registry.url: https://schema-registry:8086
    ssl:
      trust-store-location: /home/xubu/Documents/kafka.client.truststore.jks
      trust-store-password: PASSWORD
      key-store-location: /home/xubu/Documents/kafka.client.keystore.jks
      key-store-password: PASSWORD
      key-password: PASSWORD
      protocol: SSL
      key-store-type: jks
      trust-store-type: jks

这是我过去两周左右的痛苦，这是在schema registry上尝试访问控制列表的一个介绍

我通过将VM选项设置为具有密钥库信任库的位置及其密码，解决了这个问题