Kafka ACL 与 SASL/SCRAM 安全认证配置实践

server.properties（关键项）：listeners=SASL_PLAINTEXT://:9092

advertised.listeners=SASL_PLAINTEXT://broker-1:9092

listener.security.protocol.map=SASL_PLAINTEXT:SASL_PLAINTEXT

inter.broker.listener.name=SASL_PLAINTEXT

authorizer.class.name=kafka.security.authorizer.AclAuthorizer

super.users=User:admin

sasl.enabled.mechanisms=SCRAM-SHA-256,SCRAM-SHA-512

sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256

kafka_server_jaas.conf：KafkaServer {

org.apache.kafka.common.security.scram.ScramLoginModule required

username="admin" password="admin-secret";

};

创建 SCRAM 用户凭据：kafka-configs.sh --bootstrap-server localhost:9092 --alter \

--add-config 'SCRAM-SHA-256=[password=alice-pass],SCRAM-SHA-512=[password=alice-pass-512]' \

--entity-type users --entity-name alice

为主题 orders 配置 ACL：kafka-acls.sh --bootstrap-server localhost:9092 --add \

--allow-principal User:alice --operation Read --topic orders

kafka-acls.sh --bootstrap-server localhost:9092 --add \

--allow-principal User:alice --operation Write --topic orders