Help Center/ MapReduce Service/ Developer Guide (Normal_3.x)/ Kafka Development Guide (Security Mode)/ Application Commissioning/ Running Guide of the Kafka Token Authentication Mechanism Sample Code
Updated on 2022-09-14 GMT+08:00
View PDF

Running Guide of the Kafka Token Authentication Mechanism Sample Code

Procedure

Kafka Server Configuration

  1. Log in to FusionInsight Manager and choose Cluster > Name of the desired cluster > Services > Kafka. On the displayed page, click the Configurations tab. The Kafka service configuration page is displayed.
  2. Enable the token authentication mechanism.

    Find the delegation.token.master.key parameter, which specifies the master key used to generate and verify tokens. Check whether the parameter has been configured. If it has been configured, and the value is not null, the token authentication mechanism has been enabled and does not need to be reconfigured. If the token authentication mechanism is configured again, the original token cannot be used.

  3. Specify the SASL authentication mechanism for a specified service.

    Find the sasl.enabled.mechanisms parameter and set it to GSSAPI,SCRAM-SHA-256,SCRAM-SHA-512. Use commas (,) to separate the three items.

  4. Log in to a component using Scram

    Find the customized parameter kafka.config.expandor and set its name to listener.name.sasl_plaintext.scram-sha-512.sasl.jaas.config. Set the value to org.apache.kafka.common.security.scram.ScramLoginModule required.

  5. Log in to FusionInsight Manager and restart all broker instances of the Kafka service.

Kafka Client Configuration

  1. Generate a token for the user. For details about how to generate a token, see Kafka Token Authentication Mechanism Tool Usage.

Secondary Development Sample Code Project Configuration

The token authentication mechanism can be used for APIs. Therefore, you can configure the token authentication mechanism in Producer() and Consumer() of the secondary development sample.

  1. Enable the token authentication mechanism.

    Set tokenauth to true on the client.

  2. Specify the SASL authentication mechanism for a specified service.

    Set sasl.mechanism to SCRAM-SHA-512 on the client.

  3. Configure the Java Authentication and Authorization Service (JAAS) file.

    Configure sasl.jaas.config on the client as follows:

    org.apache.kafka.common.security.scram.ScramLoginModule required
username="TOKENID"
password="HMAC";

    Where TOKENID and HMAC are generated when tokens are generated in 6.

    For details about how to enable the token authentication mechanism, specify the SASL authentication mechanism for a specified service, and configure the JAAS file, see Sample Code of the Kafka Token Authentication Mechanism.

  4. Run the sample code based on the running environment. For details, see section Commissioning an Application in Windows and Commissioning an Application in Linux.