访问控制
当客户端在持续进行生产和消费活动,但 Kafka 集群无法正常响应相关请求时,可以考虑临时限制 Kafka 用户对数据、事务,主题等的访问权限,避免消息积压。
例如采集日志时突发 Kafka 集群异常,为了不中断日志采集,给 Kafka 用户配置加密认证及访问控制后,客户端生产的日志可持续转存到数据库,不会因为无法消费而积压。
前提条件
-
确保 KafkaUser 实例的认证及授权方式与 Kafka 实例一致。
-
确保已完成 加密配置 。
操作步骤
-
在左侧导航栏中,单击 应用商店管理 > Operators。
-
在 已部署 Operators 页签中,单击 strimzi-kafka-operator。
-
在 资源实例 页签中,单击 KafkaUser 实例的
> 更新。 -
参考以下示例配置
spec.acls参数。apiVersion: kafka.strimzi.io/v1beta1 kind: KafkaUser metadata: labels: strimzi.io/cluster: my-cluster name: my-user spec: authentication: type: scram-sha-512 authorization: type: simple acls: # Consumer ACLs - host: '*' operation: Read resource: name: my-topic patternType: literal type: topic type: allow - host: '*' operation: Read resource: name: my-group patternType: literal type: group type: allow - host: '*' operation: ClusterAction resource: type: cluster type: allow - host: '*' operation: Describe resource: name: my-group patternType: literal type: group type: allow - host: '*' operation: Describe resource: name: my-topic patternType: literal type: topic type: allow - host: '*' operation: Describe resource: type: cluster type: allow # Producer ACLs - host: '*' operation: Write resource: name: my-topic patternType: literal type: topic type: deny - host: '*' operation: IdempotentWrite resource: type: cluster type: deny - host: '*' operation: Create resource: name: my-topic patternType: literal type: topic type: deny - host: '*' operation: Create resource: type: cluster type: deny - host: '*' operation: Describe resource: name: my-topic patternType: literal type: topic type: deny - host: '*' operation: Alter resource: name: my-topic patternType: literal type: topic type: deny -
单击 更新。