Apache kafka 如果zookeeper.set.acl设置为true，则Kafka不会启动

我有一个kerberized Zookeeper和kerberized Kafka的设置，它在Zookeeper.set.acl设置为false时运行良好。当我尝试在参数设置为true的情况下启动卡夫卡时，我会在zookeeper日志中看到：

Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,625] INFO Client attempting to establish new session at /<kafka ip>:54272 (org.apache.zookeeper.server.ZooKeeperServer)
Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,631] INFO Established session 0x3007c8bcb5c0000 with negotiated timeout 6000 for client /<kafka ip>:54272 (org.apache.zookeeper.server.ZooKeeperServer)
Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,775] INFO Successfully authenticated client: authenticationID=kafka/<kafka host>@REALM;  authorizationID=kafka/<kafka host>@REALM. (org.apache.zookeeper.server.auth.SaslServerCallbackHandler)
Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,778] INFO Setting authorizedID: kafka (org.apache.zookeeper.server.auth.SaslServerCallbackHandler)
Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,778] INFO adding SASL authorization for authorizationID: kafka (org.apache.zookeeper.server.ZooKeeperServer)
Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,807] ERROR Missing AuthenticationProvider for sasl (org.apache.zookeeper.server.PrepRequestProcessor)
Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,808] INFO Got user-level KeeperException when processing sessionid:0x3007c8bcb5c0000 type:create cxid:0x4 zxid:0x100000005 txntype:-1 reqpath:n/a Error Path:/brokers/ids Error:KeeperErrorCode = InvalidACL for /brokers/ids (org.apache.zookeeper.server.PrepRequestProcessor)
Nov 12 13:36:26 <zk host> docker:zookeeper_corelinux_<zk host>[1195]: [2019-11-12 13:36:26,829] INFO Processed session termination for sessionid: 0x3007c8bcb5c0000 (org.apache.zookeeper.server.PrepRequestProcessor)

11月12日13:36:26 docker:zookeeper\u corelinux\u[1195]：[2019-11-12 13:36:26625]信息客户端试图在/：54272建立新会话（org.apache.zookeper.server.ZooKeeperServer）
11月12日13:36:26 docker:zookeeper_corelinux_[1195]：[2019-11-12 13:36:26631]信息建立会话0x3007c8bcb5c0000，客户端协商超时6000/：54272（org.apache.zookeper.server.ZooKeeperServer）
11月12日13:36:26 docker:zookeeper_corelinux[1195]：[2019-11-12 13:36:26775]信息已成功验证客户端：authenticationID=kafka/@REALM；authorizationID=kafka/@REALM。（org.apache.zookeeper.server.auth.SaslServerCallbackHandler）
11月12日13:36:26 docker:zookeeper_corelinux[1195]：[2019-11-12 13:36:26778]信息设置：kafka（org.apache.zookeeper.server.auth.SaslServerCallbackHandler）
11月12日13:36:26 docker:zookeeper_corelinux_[1195]：[2019-11-12 13:36:26778]为授权添加SASL授权的信息ID:kafka（org.apache.zookeeper.server.ZooKeeperServer）
11月12日13:36:26 docker:zookeeper_corelinux_[1195]：[2019-11-12 13:36:26807]缺少sasl的身份验证提供程序时出错（org.apache.zookeeper.server.prerequestProcessor）
11月12日13:36:26 docker:zookeeper_corelinux_[1195]：[2019-11-12 13:36:26808]处理会话时获得用户级KeeperException信息ID:0x3007c8bcb5c0000类型：创建cxid:0x4 zxid:0x10000005 txntype:-1请求路径：n/a错误路径：/brokers/ids错误：KeeperrorCode=InvalidACL for/brokers/ids（org.apache.zookeeper.server.PrequestProcessor）
11月12日13:36:26 docker:zookeeper\u corelinux \[1195]：[2019-11-12 13:36:26829]会话ID:0x3007c8bcb5c0000的信息处理会话终止（org.apache.zookeper.server.prerequestProcessor）

卡夫卡和Zookeeper都在docker中运行（使用Confluent的图像）

以下是Zookeeper配置（通过环境变量传入）：

“ZOOKEEPER\u AUTHPROVIDER\u 1=org.apache.ZOOKEEPER.server.auth.SASLAuthenticationProvider”，
“KAFKA_OPTS=-Djava.security.auth.login.config=/etc/zookeeper/secrets/zookeer_jaas.conf-Dzookeeper.kerberos.removeHostFromPrincipal=true-Dzookeeper.kerberos.removealmFromPrincipal=true”，
“ZOOKEEPER_服务器_ID=1”，
“ZOOKEEPER_REQUIRECLIENTAUTHSCHEME=SASL”，
“KAFKA_JMX_主机名=”，
“ZOOKEEPER_INIT_LIMIT=10”，
“动物园管理员”JASSLOGINRENEW=3600000，
“ZOOKEEPER_LOG4J_PROP=DEBUG，ROLLINGFILE”，
“ZOOKEEPER\u MAX\u CLIENT\u CNXNS=0”，
“ZOOKEEPER_服务器=0.0.0.0:2888:3888；zookeeper2:2888:3888；zookeeper3:2888:3888”，
“ZOOKEEPER\u DATA\u DIR=/DATA/ZOOKEEPER”，
“ZOOKEEPER_客户端_端口=2181”，
“KAFKA_JMX_端口=55554”

动物园管理员贾斯：

Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    doNotPrompt=true
    useTicketCache=false
    keyTab="/etc/zookeeper/secrets/kfkzkp.keytab"
    principal="zookeeper/<zk host>@REALM";
};

服务器{
需要com.sun.security.auth.module.Krb5LoginModule
useKeyTab=true
storeKey=true
doNotPrompt=true
useTicketCache=false
keyTab=“/etc/zookeeper/secrets/kfkzkp.keyTab”
principal=“zookeeper/@REALM”；
};

这是卡夫卡的配置：

"KAFKA_ZOOKEEPER_SET_ACL=true",
"KAFKA_DEFAULT_REPLICATION_FACTOR=3",
"KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL=GSSAPI",
"KAFKA_ADVERTISED_LISTENERS=SASL_SSL://<kafka host>:9092",
"KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets/kafka_server_jaas.conf",
"KAFKA_ZOOKEEPER_CONNECT=zookeeper1:2181,zookeeper2:2181,zookeeper3:2181",
"KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND=true",
"KAFKA_SSL_CLIENT_AUTH=required",
"KAFKA_CONFLUENT_SUPPORT_METRICS_ENABLE=False",
"KAFKA_LOG_DIRS=/data/kafka",
"KAFKA_SASL_KERBEROS_SERVICE_NAME=kafka",
"KAFKA_SSL_TRUSTSTORE_FILENAME=root-ca-certificate.jks",
"KAFKA_JMX_HOSTNAME=<kafka host>",
"KAFKA_MIN_INSYNC_REPLICAS=2",
"KAFKA_JMX_PORT=55555",
"KAFKA_SSL_KEY_CREDENTIALS=redacted",
"KAFKA_AUTHORIZER_CLASS_NAME=kafka.security.auth.SimpleAclAuthorizer",
"KAFKA_SUPER_USERS=User:superuser;User:me",
"KAFKA_SSL_KEYSTORE_FILENAME=<kafka host>.jks",
"KAFKA_SSL_KEYSTORE_CREDENTIALS=redacted",
"KAFKA_SSL_TRUSTSTORE_CREDENTIALS=redacted",
"KAFKA_AUTO_CREATE_TOPICS_ENABLE=true",
"KAFKA_SASL_ENABLED_MECHANISMS=GSSAPI,PLAIN",
"KAFKA_LISTENERS=SASL_SSL://<kafka host>:9092",
"KAFKA_SECURITY_INTER_BROKER_PROTOCOL=SASL_SSL",

“卡夫卡动物园管理员设置ACL=true”，
“卡夫卡默认复制系数=3”，
“KAFKA_SASL_机制_INTER_BROKER_协议=GSSAPI”，
“KAFKA_播发的侦听器=SASL_SSL://:9092”，
“KAFKA_OPTS=-Djava.security.auth.login.config=/etc/KAFKA/secrets/KAFKA_server_jaas.conf”，
“KAFKA_ZOOKEEPER_CONNECT=zookeeper1:2181，zookeeper2:2181，zookeeper3:2181”，
“卡夫卡允许所有人，如果没有ACL=true”，
“KAFKA_SSL_CLIENT_AUTH=必需”，
“KAFKA_CONFLUENT_SUPPORT_METRICS_ENABLE=False”，
“KAFKA_LOG_DIRS=/data/KAFKA”，
“KAFKA_SASL_KERBEROS_SERVICE_NAME=KAFKA”，
“KAFKA_SSL_TRUSTSTORE_FILENAME=root ca certificate.jks”，
“KAFKA_JMX_主机名=”，
“KAFKA_MIN_INSYNC_副本=2”，
“卡夫卡JMX_端口=55555”，
“KAFKA\u SSL\u KEY\u CREDENTIALS=已编辑”，
“KAFKA_AUTHORIZER_CLASS_NAME=KAFKA.security.auth.SimpleClauthorizer”，
“卡夫卡超级用户=用户：超级用户；用户：我”，
“KAFKA_SSL_密钥库_文件名=.jks”，
“KAFKA_SSL_密钥库_凭据=已编辑”，
“KAFKA_SSL_TRUSTSTORE_CREDENTIALS=已编辑”，
“KAFKA_AUTO_CREATE_TOPICS_ENABLE=true”，
“KAFKA_SASL_ENABLED_mechanism=GSSAPI，普通”，
“KAFKA_LISTENERS=SASL_SSL://:9092”，
“KAFKA_SECURITY_INTER_BROKER_PROTOCOL=SASL_SSL”，

卡夫卡·贾亚斯：

// Zookeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    doNotPrompt=true
    useTicketCache=false
    serviceName=kafka
    keyTab="/etc/kafka/secrets/kfkzkp.keytab"
    principal="kafka/<kafka host>@REALM";
};

//Zookeeper客户端身份验证
客户{
需要com.sun.security.auth.module.Krb5LoginModule
useKeyTab=true
storeKey=true
doNotPrompt=true
useTicketCache=false
serviceName=kafka
keyTab=“/etc/kafka/secrets/kfkzkp.keyTab”
principal=“kafka/@REALM”；
};

---

我已经看了一段时间了，并且浏览了谷歌上的大部分相关内容（包括stackoverflow的一些链接）。任何建议都是非常受欢迎的。

找到了答案。由于某些原因，某些变量无法从环境中正确提取。我昨天在ZOOKEEPER_KERBEROS_RemoveAllFromPrincipal（和REMOVEHOSTFROMPRINCIPAL）中注意到了这一点。所以我试着移动这些

"ZOOKEEPER_AUTHPROVIDER_1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider",
"ZOOKEEPER_REQUIRECLIENTAUTHSCHEME=SASL",

进入

就这样分类了

"ZOOKEEPER_AUTHPROVIDER_1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider",
"ZOOKEEPER_REQUIRECLIENTAUTHSCHEME=SASL",

KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/zookeeper/secrets/zookeeper_jaas.conf -Dzookeeper.kerberos.removeHostFromPrincipal=true -Dzookeeper.kerberos.removeRealmFromPrincipal=true -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider -Dzookeeper.requireClientAuthScheme=sasl"