Imixholo fihla
1 Juniper NETWORKS Streaming API Software
2 Ulwazi lweMveliso
3 Intshayelelo
4 Ukuvula iKafka kubamkeli bangaphandle
5 Ukucwangcisa uLuhlu loLawulo lokuFikelela (ACLs)
5.1 ### ACLs amangeno kubasebenzisi abangaziwa /usr/lib/kafka/bin/kafka-acls.sh \
5.2 ### ACLs amangeno kubasebenzisi bangaphandle /usr/lib/kafka/bin/kafka-acls.sh \
6 Ukuqinisekisa uQhagamshelwano loMxumi waNgaphandle
7 Isihlomelo
8 Ukusebenzisa i-Streaming API
9 Amaxwebhu / Izibonelelo
9.1 Iimbekiselo

Juniper-logo

Juniper NETWORKS Streaming API SoftwareJuniper-NETWORKS-Streaming-API-Software-product

Ulwazi lweMveliso

Iinkcukacha

  • Igama leMveliso: I-Paragon Active Assurance
  • Inguqulelo: 4.1
  • Umhla wokupapashwa: 2023-03-15

Intshayelelo:
Esi sikhokelo sinika imiyalelo malunga nendlela yokukhupha idatha kwiParagon Active Assurance usebenzisa i-API yokusasazwa kwemveliso. Umxhasi wokusasaza kunye ne-API ifakwe kwiParagon Active Assurance installerment, kodwa ulungelelwaniso oluthile luyafuneka ngaphambi kokusebenzisa i-API. Inkqubo yoqwalaselo ifakwe kwicandelo elithi "Ukuqwalasela i-API yokuhambisa".

Ukuqwalasela i-API yokuHamba:
La manyathelo alandelayo achaza inkqubo yokuqwalasela i-API yostrimisho:

Ngaphezuluview
I-Kafka yindawo yokusasaza isiganeko eyenzelwe ukubanjwa kwexesha langempela kunye nokugcinwa kwedatha evela kwimithombo eyahlukeneyo. Ivumela ulawulo lweminyhadala ngendlela esasaziweyo, eyongezelekayo, enokunyamezela iimpazamo, nangendlela ekhuselekileyo. Esi sikhokelo sigxile ekuqwalaseleni i-Kafka ukusebenzisa i-Streaming API feature kwi-Paragon Active Assurance Control Centre.

Isigama
I-API yokuHamba ivumela abathengi bangaphandle ukuba bafumane ulwazi lweemetrikhi ukusuka eKafka. Iimetriki eziqokelelwe ziiarhente zovavanyo ngexesha lovavanyo okanye umsebenzi wokubeka iliso zithunyelwa kwinkonzo yokusasaza. Emva kokucubungula, inkonzo yokusasaza ipapasha ezi metrics kwiKafka kunye nemetadata eyongezelelweyo.

Kafka Izihloko
I-API yokusakaza isebenzisa izihloko ze-Kafka ukulungelelanisa nokugcina iimethrikhi kunye neemethadatha. Izihloko zeKafka zinokudalwa kwaye zilawulwe ngokweemfuno ezithile.

Ukunika amandla i-API yokuHamba
Ukwenza i-API yokuHamba, landela la manyathelo:

  1. Yenza le miyalelo ilandelayo kwiseva yoMbindi woLawulo usebenzisa i-sudo:
KAFKA_METRICS_ENABLED = Iinkonzo eziyinyaniso ze-sudo ncc zenza i-timescaledb iimetriki ze-sudo ncc ziqale iinkonzo ze-timecaledb sudo ncc iinkonzo ziqale kwakhona

Ukuqinisekisa ukuba i-API yokuHamba iyasebenza kwiZiko loLawulo:
Ukuqinisekisa ukuba ufumana iimetrics kwizihloko ezichanekileyo zeKafka:

  1. Faka usetyenziso lwekafkacat ngale miyalelo ilandelayo:
    sudo apt-fumana uhlaziyo
    sudo apt-fumana ukufaka i-kafkacat
  1. Faka endaweni ethi "myaccount" ngegama elifutshane leakhawunti yakho kwi
    Umbindi Wolawulo URL:
    thumela ngaphandle METRICS_TOPIC=paa.public.accounts.myaccount.metrics
    thumela ngaphandle METADATA_TOPIC=paa.public.accounts.myaccount.metadata
  1. Yenza lo myalelo ulandelayo ku view Iimetrics:
    kafkacat -b ${KAFKA_FQDN}:9092 -t ${METRICS_TOPIC} -C -e
    Phawula: Lo myalelo ungentla uza kubonisa iimetrics.
  2. Ukuya view metadata, sebenzisa lo myalelo ulandelayo:
    kafkacat -b ${KAFKA_FQDN}:9092 -t ${METADATA_TOPIC} -C -e

Phawula: Lo myalelo ungentla uza kubonisa imetadata, kodwa ayiyi kuhlaziya rhoqo.

Umxhasi ExampLes
Umxhasi exampulwazi kunye nolunye ulwazi, jonga kwiphepha le-14 lencwadana yomsebenzisi.

FAQ (imibuzo ebuzwa rhoqo)

  • Umbuzo: Yintoni iParagon Active Assurance?
    A: I-Paragon Active Assurance yimveliso ebonelela ngezakhono zokubeka iliso kunye nokuvavanya.
  • Umbuzo: Yintoni i-API yokusakaza?
    A: I-API yokuHamba yinkalo kwiParagon Active Assurance evumela abathengi bangaphandle ukuba bafumane ulwazi lweemetrics ukusuka eKafka.
  • Umbuzo: Ndiyenza njani i-API yoMsinga?
    A: Ukwenza i-API yokuHamba, landela amanyathelo achazwe kwi-"Enebling API yokusakaza" icandelo lencwadana yomsebenzisi.
  • Umbuzo: Ndingaqinisekisa njani ukuba i-API yokusakaza iyasebenza?
    A: Jonga kwi "Ukuqinisekisa ukuba i-API yokusakaza iSebenza kwiZiko loLawulo" icandelo lemiyalelo malunga nendlela yokuqinisekisa ukusebenza kwe-API yokuHamba.

Intshayelelo

Esi sikhokelo sichaza indlela yokukhupha idatha kwiParagon Active Assurance ngokusebenzisa i-API yokusasazwa kwemveliso.
I-API kunye nomxhasi wokusasaza zibandakanyiwe kwiParagon Active Assurance installation. Nangona kunjalo, uqwalaselo oluncinci luyafuneka ngaphambi kokuba usebenzise i-API. Oku kugutyungelwe "Ukulungisa i-API yokuHambisa" kwiphepha le-1 isahluko.

Ngaphezuluview
Esi sahluko sichaza indlela yokuqwalasela i-API yokusakaza ukuvumela ukubhalisa kwimiyalezo yeemetriki ngeKafka.
pr
Ngezantsi siza kudlula:

  • Uyenza njani i-API yokuHamba
  • Indlela yokuqwalasela i-Kafka ukumamela abathengi bangaphandle
  • Indlela yokuqwalasela i-Kafka ukusebenzisa i-ACLs kwaye umise ufihlo lwe-SSL kubathengi abaxeliweyo

Yintoni iKafka?
I-Kafka liqonga lokusasaza isiganeko esivumela ukubanjwa kwexesha lokwenyani ledatha ethunyelwe kwimithombo eyahlukeneyo yemisitho (iinzwa, ii-database, izixhobo eziphathwayo) ngendlela yemijelo yemisitho, kunye nokugcinwa okuhlala ixesha elide kwale mijelo yeziganeko ukuze ibuyiswe kamva kunye nokukhohlisa.
Nge-Kafka iyakwazi ukulawula ukusasazwa kwesiganeko ekupheleni ukuya ekupheleni ngendlela esasazwayo, enobungozi kakhulu, e-elastic, ekwazi ukunyamezela, kunye nokukhusela.

PHAWULA: I-Kafka inokuqwalaselwa ngeendlela ezininzi ezahlukeneyo kwaye yenzelwe ukulinganisa kunye neenkqubo ezingafunekiyo. Olu xwebhu lujolise kuphela kwindlela yokuyiqwalasela ukuze isebenzise i-API yokuHambisa inqaku elifunyenwe kwi-Paragon Active Assurance Control Centre. Ukufumana ukuseta okuphambili sibhekisa kuxwebhu olusemthethweni lweKafka: kafka.apache.org/26/documentation.html.

Isigama

  • I-Kafka: Iqonga lokusasaza umsitho.
  • Kafka isihloko: Ukuqokelelwa kweziganeko.
  • Umbhalisi / umthengi we-Kafka: Icandelo elijongene nokufunyanwa kweziganeko ezigcinwe kwisihloko se-Kafka.
  • Umthengisi we-Kafka: Umncedisi wogcino wogcino lweqela le-Kafka.
  • I-SSL/TLS: I-SSL yiprothokholi ekhuselekileyo eyenzelwe ukuthumela ulwazi ngokukhuselekileyo kwi-Intanethi. I-TLS ilandela i-SSL, eyaziswa ngo-1999.
  • I-SASL: Isakhelo esibonelela ngeendlela zokuqinisekisa umsebenzisi, ukujonga imfezeko yedatha, kunye noguqulelo oluntsonkothileyo.
  • Umrhumo we-API yokubhalisa: Icandelo elijongene nokufunyanwa kweziganeko ezigcinwe kwizihloko ezichazwe kwiParagon Active Assurance kwaye yenzelwe ukufikelela kwangaphandle.
  • Igunya lesatifikethi: Iqumrhu elithembekileyo elikhupha lize lirhoxise izatifikethi eziphambili zoluntu.
  • Isatifikethi sengcambu yegunya lesatifikethi: Isatifikethi sesitshixo sikawonke-wonke esichonga uGunyaziwe weSatifikethi.

Isebenza njani i-API yokuHamba
Njengoko kukhankanyiwe ngaphambili, i-API yokusakaza ivumela abathengi bangaphandle ukuba bafumane ulwazi malunga neemetrics ezivela eKafka.

Zonke iimethrikhi eziqokelelwe ziiarhente zovavanyo ngexesha lovavanyo okanye umsebenzi wokubeka iliso zithunyelwa kwinkonzo yoMjezo. Emva kwesigaba sokucubungula, inkonzo yokusasaza ipapasha ezo metrics kwiKafka kunye nemetadata eyongezelelweyo.

Juniper-NETWORKS-Streaming-API-Software- (1)

Kafka Izihloko
I-Kafka inombono wezihloko apho yonke idatha ipapashwa. KwiParagon Active Assurance kukho izihloko ezininzi zeKafka ezikhoyo; nangona kunjalo, kuphela iseti engaphantsi kwezi zenzelwe ukufikelela ngaphandle.
I-akhawunti nganye ye-Paragon Active Assurance kwiZiko loLawulo inezihloko ezibini ezizinikeleyo. Ngezantsi, ACCOUNT ligama elifutshane le-akhawunti:

  • paa.public.accounts.{ACCOUNT}.metrics
    • Yonke imiyalezo yeemetrics yeakhawunti enikiweyo ipapashwa kulo mxholo
    • Izixa ezikhulu zedatha
    • Uhlaziyo oluphezulu rhoqo
  • paa.public.accounts.{ACCOUNT}.metadata
    • Iqulethe imetadata enxulumene nedatha yeemetrics, umzekeloampkuvavanyo, ukubeka iliso okanye i-Agent yoVavanyo enxulumene neemetrics
    • Izixa ezincinci zedatha
    • Uhlaziyo oluphantsi rhoqo

Ukunika amandla i-API yokuHamba

PHAWULA: Le miyalelo iza kwenziwa kuMbindi woLawulo umncedisi usebenzisa i sudo.

Ukusukela ukuba i-API yokuHamba yongeza umphezulu othile kwiZiko loLawulo, ayenziwa ngokuzenzekelayo. Ukwenza i-API isebenze, kufuneka siqale senze upapasho lweemetrics kwiKafka kuqwalaselo oluphambili. file:

KAFKA_METRICS_ENABLED = Yinyani

ISILUMKISO: Ukwenza olu phawu lunokuchaphazela ukusebenza koMziko woLawulo. Qinisekisa ukuba ulinganise umzekelo wakho ngokufanelekileyo.

Okulandelayo, ukwenza ugqithiso lwezi metrics kwizihloko ezichanekileyo zeKafka:

streaming-api: yinyani

Ukwenza kwaye uqalise iinkonzo ze-API yokuHamba, sebenzisa:

  • Iinkonzo ze-sudo ncc zenza i-timescaledb metrics
  • Iinkonzo ze-sudo ncc ziqala i-timescaledb metrics

Ekugqibeleni, qala kwakhona iinkonzo:

  • Iinkonzo ze-sudo ncc ziqala kwakhona

Ukuqinisekisa ukuba i-API yokuHamba iyasebenza kwiziko lolawulo

PHAWULA: Le miyalelo izakuqhutywa kumncedisi Wombindi Wolawulo.

Ungaqinisekisa ngoku ukuba ufumana iimetrics kwizihloko ezichanekileyo zeKafka. Ukwenza njalo, faka i-kafkacat eluncedo:

  • sudo apt-fumana uhlaziyo
  • sudo apt-fumana ukufaka i-kafkacat

Ukuba unovavanyo okanye esweni esebenzayo kuMbindi woLawulo, kufuneka ukwazi ukusebenzisa i-kafkacat ukufumana i-metrics kunye nemetadata kwezi zihloko.
Buyisela iakhawunti yam ngegama elifutshane leakhawunti yakho (le yinto oyibonayo kuMbindi wakho woLawulo URL):

  • thumela ngaphandle METRICS_TOPIC=paa.public.accounts.myaccount.metrics
  • thumela ngaphandle METADATA_TOPIC=paa.public.accounts.myaccount.metadata

Ngoku kufuneka ubone iimethrikhi ngokuqhuba lo myalelo:

  • kafkacat -b ${KAFKA_FQDN}:9092 -t ${METRICS_TOPIC} -C -e

Ukuya view metadata, sebenzisa lo myalelo ulandelayo (qaphela ukuba oku akuyi kuhlaziya rhoqo):

  • kafkacat -b ${KAFKA_FQDN}:9092 -t ${METADATA_TOPIC} -C -e

PHAWULA:
kafkacat”UMthengi Eksamples” kwiphepha 14

Oku kuqinisekisa ukuba sine-API esebenzayo yokuHamba ukusuka ngaphakathi kwiziko loLawulo. Nangona kunjalo, kusenokwenzeka ukuba unomdla wokufikelela kwidatha kumxhasi wangaphandle endaweni yoko. Icandelo elilandelayo lichaza indlela yokuvula i-Kafka yokufikelela kwangaphandle.

Ukuvula iKafka kubamkeli bangaphandle

PHAWULA: Le miyalelo izakuqhutywa kumncedisi Wombindi Wolawulo.

Ngokungagqibekanga iKafka esebenza kuMbindi Wolawulo iqwalaselwe ukumamela kuphela inginginya yobulali kusetyenziso lwangaphakathi. Kuyenzeka ukuba uvule iKafka kubathengi bangaphandle ngokuguqula useto lweKafka.

Ukuqhagamshela eKafka: Caveats

ISILUMKO: Nceda ufunde oku ngononophelo, kuba kulula ukubaleka kwimiba yoqhagamshelo kunye neKafka ukuba awuyiqondi le migaqo.

Kuseto lweZiko loLawulo oluchazwe kolu xwebhu, kukho umthengisi omnye we-Kafka kuphela.
Nangona kunjalo, qaphela ukuba i-broker ye-Kafka yenzelwe ukuba iqhube njengenxalenye yeqela le-Kafka elinokuthi liqulathe abathengisi abaninzi be-Kafka.
Xa uqhagamshela kwi-broker yase-Kafka, uxhumano lokuqala lusekwe ngumthengi we-Kafka. Ngaphezulu kolu qhagamshelwano i-Kafka broker iya kubuyisela uluhlu "lwabaphulaphuli abapapashiweyo", oluluhlu lwe-Kafka broker enye okanye ngaphezulu.
Ekufumaneni olu luhlu, umxhasi weKafka uya kuqhawula, aze aphinde aqhagamshele komnye waba baphula-phuli abapapashiweyo. Abaphulaphuli abapapashiweyo kufuneka babe namagama abamkeli okanye iidilesi ze-IP ezifikelelekayo kumxhasi we-Kafka, okanye umxhasi uya kuphumelela ukudibanisa.
Ukuba uguqulelo oluntsonkothileyo lwe-SSL lusetyenzisiwe, lubandakanya isatifikethi se-SSL esibotshelelwe kwigama elithile lenginginya, kubaluleke ngakumbi ukuba umxhasi we-Kafka afumane idilesi echanekileyo yokuqhagamshela kuyo, kuba kungenjalo uxhulumaniso lunokwaliwa.
Funda ngakumbi malunga nabaphulaphuli bakaKafka apha: www.confluent.io/blog/kafka-listeners-explained

Ufihlo lwe-SSL/TLS
Ukuqinisekisa ukuba ngabathengi abathembekileyo kuphela abavunyelweyo ukufikelela eKafka kunye ne-API yokuHamba, kufuneka siqwalasele oku kulandelayo:

  • Uqinisekiso: Abathengi kufuneka banikeze igama lomsebenzisi kunye negama lokugqitha ngoqhagamshelwano olukhuselekileyo lwe-SSL/TLS phakathi komxhasi kunye neKafka.
  • Ugunyaziso: Abathengi abaqinisekisiweyo bangenza imisebenzi elawulwa yi-ACLs.

Nantsi i-overview:

Juniper-NETWORKS-Streaming-API-Software- (2)

*) Igama lomsebenzisi/uqinisekiso lwegama lokugqitha olwenziwa kwitshaneli efihliweyo ye-SSL

Ukuqonda ngokupheleleyo indlela i-SSL/TLS encryption esebenza ngayo kwi-Kafka, nceda ubhekisele kuxwebhu olusemthethweni: docs.confluent.io/platform/current/kafka/encryption.html

SSL/TLS Certificate Overview

PHAWULA: Kweli candelwana siza kusebenzisa esi sigama silandelayo:

Isatifikethi: Isatifikethi se-SSL esisayinwe nguGunyaziwe weSatifikethi (CA). Umthengisi ngamnye weKafka unomnye.
Ivenkile engundoqo: Ivenkile yezitshixo file esigcina isatifikethi. Ivenkile yezitshixo file iqulethe isitshixo sabucala sesatifikethi; ngoko ke, kufuneka igcinwe ngokukhuselekileyo.
Truststore: A file iqulethe izatifikethi ze-CA ezithembekileyo.

Ukuseta ungqinisiso phakathi komxhasi wangaphandle kunye neKafka esebenza kwiZiko loLawulo, omabini amacala kufuneka abe nevenkile yezitshixo echazwe kunye nesatifikethi esinxulumeneyo esisayinwe nguGunyaziwe weSatifikethi (CA) kunye nesatifikethi sengcambu ye-CA.
Ukongeza koku, umxhasi kufuneka abe ne-truststore enesatifikethi sengcambu ye-CA.
Isiqinisekiso sengcambu ye-CA siqhelekile kumthengisi we-Kafka kunye nomxhasi we-Kafka.

Ukudala iZatifikethi ezifunekayo
Oku kugutyungelwe “kwiSihlomelo” esikwiphepha 17.

Kafka Broker SSL/TLS uqwalaselo kwiziko lolawulo

PHAWULA: Le miyalelo izakuqhutywa kumncedisi Wombindi Wolawulo.

PHAWULA: Ngaphambi kokuqhubeka, kufuneka udale i-keystore equlethe isatifikethi se-SSL ngokulandela imiyalelo "kwiSihlomelo" kwiphepha 17. Iindlela ezikhankanywe ngezantsi zivela kule miyalelo.
Ivenkile yezitshixo ye-SSL yi file igcinwe kwidiski nge file ulwandiso .jks.

Nje ukuba ube neziqinisekiso ezifunekayo ezenzelwe zombini umthengisi we-Kafka kunye nomxhasi we-Kafka okhoyo, ungaqhubeka ngokuqwalasela i-Kafka broker esebenza kuMbindi woLawulo. Kufuneka ukwazi oku kulandelayo:

  • : Igama lenginginya yoluntu yeZiko loLawulo; oku kufuneka kusonjululwe kwaye kufikeleleke ngabathengi beKafka.
  • : Igama lokugqitha elinikezelweyo xa usenza isatifikethi se-SSL.
  • kwaye : La ngamagama agqithisiweyo ofuna ukuwamisela umlawuli kunye nomsebenzisi womxhasi ngokulandelelanayo. Qaphela ukuba unokongeza abasebenzisi abaninzi, njengoko kubonisiwe kwi-example.

Hlela okanye udibanise (ngofikelelo lwe-sudo) iipropathi ezingezantsi kwi /etc/kafka/server.properties, ufaka uguqulo olungentla njengoko kubonisiwe:

ISILUMKISO: Musa ukususa i-PLAINTEXT://localhost:9092; oku kuyakwaphula ukusebenza koMbindi woLawulo njengoko iinkonzo zangaphakathi zingazukwazi ukunxibelelana.

  • # Iidilesi ezimanyelwa ngumthengisi weKafka.
  • abaphulaphuli=PLAINTEXT://localhost:9092,SASL_SSL://0.0.0.0:9093
  • # Ezi ziinginginya ezipapashiweyo zibuyela kuye nawuphi na umxhasi oqhagamshelayo.
  • advertised.listeners=PLAINTEXT://localhost:9092,SASL_SSL:// :9093...
  • ####### UQINISEKISO LWESIKO
  • # UQINISEKISO SSL
  • ssl.endpoint.identification.algorithm=
    ssl.keystore.location=/var/ssl/private/kafka.server.keystore.jks
  • ssl.keystore.password=
  • ssl.key.password=
  • ssl.client.auth=none
  • ssl.protocol=TLSv1.2
  • # Uqwalaselo lweSASL
  • sasl.enabled.mechanisms=PLAIN
  • igama lomsebenzisi = "umlawuli" \
  • igama lokugqitha=” \
  • umsebenzisi_umlawuli=” \
  • umsebenzisi_client=” ”;
  • # QAPHELA abasebenzisi abaninzi banokongezwa kunye nomsebenzisi_ =
  • # Ugunyaziso, vula ii-ACLs
  • authorizer.class.name=kafka.security.authorizer.AclAuthorizer super.users=User:admin

Ukucwangcisa uLuhlu loLawulo lokuFikelela (ACLs)

Ukuvula ii-ACLs kwi-localhost

ISILUMKISO: Kufuneka siqale simise ii-ACLs ze-localhost, ukuze uMbindi woLawulo ngokwawo ubenakho ukufikelela eKafka. Ukuba oku akwenziwanga, izinto ziya kuphuka.

  • -umgunyazisi kafka.security.authoriser.AclAuthoriser \
  • -umgunyazisi-iipropati zookeeper.connect=localhost:2181 \
  • -yongeza -vumela-uMsebenzisi oyintloko: ANONYMOUS -vumela umamkeli 127.0.0.1 -iqela
  • /usr/lib/kafka/bin/kafka-acls.sh \
  • -umgunyazisi kafka.security.authoriser.AclAuthoriser \
  • -umgunyazisi-iipropati zookeeper.connect=localhost:2181 \
  • -yongeza -vumela-uMsebenzisi oyintloko: ANONYMOUS -vumela umamkeli 127.0.0.1 -isihloko '*'
  • /usr/lib/kafka/bin/kafka-acls.sh \
  • -umgunyazisi kafka.security.authoriser.AclAuthoriser \
  • -umgunyazisi-iipropati zookeeper.connect=localhost:2181 \
  • -yongeza -vumela-uMsebenzisi oyintloko: ANONYMOUS -vumela umamkeli 127.0.0.1 -iqela '*'

Emva koko kufuneka senze ii-ACLs zokufikelela ngaphandle kokufunda kuphela, ukuze abasebenzisi bangaphandle bavunyelwe ukufunda izihloko ze-paa.public.*.

### ACLs amangeno kubasebenzisi abangaziwa /usr/lib/kafka/bin/kafka-acls.sh \

PHAWULA: Ukuze ufumane ulawulo olucokisekileyo, nceda ubhekisele kumaxwebhu asemthethweni eKafka.

  • -umgunyazisi kafka.security.authoriser.AclAuthoriser \
  • -umgunyazisi-iipropati zookeeper.connect=localhost:2181 \
  • -yongeza -vumela-uMsebenzisi oyintloko:* -ukusebenza funda -ukusebenza chaza \ -iqela 'NCC'
  • /usr/lib/kafka/bin/kafka-acls.sh \
  • -umgunyazisi kafka.security.authoriser.AclAuthoriser \
  • -umgunyazisi-iipropati zookeeper.connect=localhost:2181 \
  • -yongeza -vumela-inqununu Umsebenzisi:* -ukusebenza funda -ukusebenza chaza \ -isihloko paa.public. -umthombo-ipateni-uhlobo lwesimaphambili

Nje ukuba wenze oku, kufuneka uqale kabusha iinkonzo:

### ACLs amangeno kubasebenzisi bangaphandle /usr/lib/kafka/bin/kafka-acls.sh \
  • Iinkonzo ze-sudo ncc ziqala kwakhona

Ukuqinisekisa ukuba umxhasi unokuseka uxhulumaniso olukhuselekileyo, sebenzisa lo myalelo ulandelayo ngaphandle
ikhompyutha yomxhasi (hayi kuMbindi Wolawulo lomncedisi). Ngezantsi, PUBLIC_HOSTNAME liZiko lolawulo lwegama lomamkeli:

  • openssl s_client -debug -dibanisa ${PUBLIC_HOSTNAME}:9093 -tls1_2 | grep "uNxibelelwano oluKhuselekileyo luxhaswa"

Kwisiphumo somyalelo kufuneka ubone isatifikethi somncedisi kunye noku kulandelayo:

  • Uthethwano ngokutsha oluKhuselekileyo luxhaswa

Ukuqinisekisa ukuba iinkonzo zangaphakathi zinikwe ukufikelela kwiseva yeKafka, nceda ujonge le log ilandelayofiles:

  • /var/log/kafka/server.log
  • /var/log/kafka/kafka-authorizer.log

Ukuqinisekisa uQhagamshelwano loMxumi waNgaphandle

kafkacat

PHAWULA: Le miyalelo izakusetyenziswa kumxhasi wekhompyuter (hayi kuMbindi Wolawulo lomncedisi).
PHAWULA: Ukubonisa ulwazi lweemetrics, qinisekisa ukuba noko imonitha enye iyasebenza kumbindi wolawulo.

Ukuqinisekisa kunye nokuqinisekisa uxhulumaniso njengomthengi wangaphandle, kunokwenzeka ukusebenzisa i-kafkacat utility efakwe kwicandelo elithi "Ukuqinisekisa ukuba i-API yokusakaza iSebenza kwiZiko loLawulo" kwiphepha lesi-4.
Yenza la manyathelo alandelayo:

PHAWULA: Ngezantsi, CLIENT_USER ngumsebenzisi ochazwe ngaphambili kwi file /etc/kafka/server.properties kwiZiko loLawulo: ezizezi, umsebenzisi_umthengi kunye negama lokugqitha elisetiwe apho.
Isatifikethi esiyingcambu ye CA esisetyenziselwe ukusayina isiqinisekiso se SSL secala lomncedisi kufuneka sibekho kumxhasi.

Yenza a file client.properties ezinomxholo olandelayo:

  • security.protocol=SASL_SSL
  • ssl.ca.location={PATH_TO_CA_CERT}
  • sasl.mechanisms=PLAIN
  • sasl.igama lomsebenzisi={CLIENT_USER}
  • sasl.password={CLIENT_PASSWORD}

apho

  • {PATH_TO_CA_CERT} yindawo yengcambu yesatifikethi ye-CA esetyenziswa ngumthengisi we-Kafka
  • {CLIENT_USER} kunye {CLIENT_PASSWORD} neenkcukacha zomsebenzisi zomxhasi.

Qalisa lo myalelo ulandelayo ukuze ubone umyalezo odliwe yi-kafkacat:

  • thumela ngaphandle KAFKA_FQDN=
  • thumela ngaphandle METRICS_TOPIC=paa.public.accounts. .iimetriki
  • kafkacat -b ${KAFKA_FQDN}:9093 -F client.properties -t ${METRICS_TOPIC} -C -e

apho {METRICS_TOPIC} ligama lesihloko seKafka nesimaphambili "paa.public.".

PHAWULA: Iinguqulelo ezindala ze kafkacat aziboneleli nge -F ukhetho lokufunda useto lomxhasi kwi file. Ukuba usebenzisa uguqulelo olunjalo, kufuneka unikeze useto olufanayo ukusuka kumgca womyalelo njengoko kubonisiwe ngezantsi.

kafkacat -b ${KAFKA_FQDN}:9093 \

  • X security.protocol=SASL_SSL \
  • X ssl.ca.location={PATH_TO_CA_CERT} \
  • X sasl.mechanisms=PLAIN \
  • X sasl.igama lomsebenzisi={CLIENT_USER} \
  • X sasl.password={CLIENT_PASSWORD} \
  • t ${METRICS_TOPIC} -C -e

Ukulungisa uxhulumaniso, ungasebenzisa i -d ukhetho:

Lungisa unxibelelwano lwabathengi
kafkacat -d umthengi -b ${KAFKA_FQDN}:9093 -F client.properties -t ${METRICS_TOPIC} -C -e
# Debug broker unxibelelwano
kafkacat -d broker -b ${KAFKA_FQDN}:9093 -F client.properties -t ${METRICS_TOPIC} -C -e

Qinisekisa ukubhekisa kuxwebhu lwethala leencwadi lomxumi we-Kafka elisetyenziswayo, njengoko iipropati zinokwahluka kwezo zikwi-client.properties.

Ukuma komyalezo
Imiyalezo esetyenziselwa iimetrics kunye nezihloko zemetadata ilandelelaniswe kwiProtocol buffers (protobuf) ifomathi (bona developers.google.com/protocol-buffers). Izikrweqe zale miyalezo zincamathela kolu hlobo lulandelayo:

IiMetrics Protobuf Schema

  • isintaksi = “proto3”;
  • ngenisa "google/protobuf/timestamp.proto”;
  • iphakheji paa.streamingapi;
  • ukhetho go_package = ".;paa_streamingapi";
  • umyalezo weMetrics {
  • google.protobuf.Timestamp amaxeshaamp = 1;
  • imephu amaxabiso = 2;
  • int32 stream_id = 3;
  • }
  • /**
  • * Ixabiso lemetric linokuba yinani elipheleleyo okanye ukudada.
  • */
  • umyalezo weMetricValue {
  • enye yodidi {
  • int64 int_val = 1;
  • float_val = 2;
  • }
  • }

I-Metadata Protobuf Schema

  • isintaksi = “proto3”;
  • iphakheji paa.streamingapi;
  • ukhetho go_package = ".;paa_streamingapi";
  • umyalezo weMetadata {
  • int32 stream_id = 1;
  • string stream_name = 2;
  • imephu tags = 13;
  • }

Umxhasi ExampLes

PHAWULA: Le miyalelo yenzelwe ukusebenza kumxhasi wangaphandle, umzekeloample laptop yakho okanye efanayo, kwaye hayi kumbindi wolawulo.
PHAWULA: Ukuba nolwazi lweemetrics lubonisiwe, qinisekisa ukuba noko imonitha enye iyasebenza kumbindi wolawulo.

Umbindi wolawulo wetarball uquka uvimba wepaa-streaming-api-client-examples.tar.gz (umxhasi-examples), equlathe i-exampiskripthi sePython esibonisa indlela yokusebenzisa i-API yokuHamba.

Ukufakela kunye nokuqwalasela uMxumi ExampLes
Ufumana umxhasi-exampLes kwiParagon eSebenzayo loLawulo lweSiqinisekiso solawulo:

  • thumela ngaphandle CC_VERSION=4.1.0
  • cd ./paa-control-center_${CC_VERSION}
  • ls paa-streaming-api-client-exampkancinci*

Ukufakela umxhasi-exampkwikhompyuter yakho yomxhasi wangaphandle, qhubeka ngolu hlobo lulandelayo:

  • # Yenza uluhlu lokukhupha umxholo womthengi wangaphambiliample tarball
  • mkdir paa-streaming-api-client-exampLes
  • # Khupha umxholo womthengi example tarball
  • tar xzf paa-streaming-api-client-examples.tar.gz -C paa-streaming-api-client-exampLes
  • # Yiya kuluhlu olutsha olwenziweyo
  • cd paa-streaming-api-client-exampLes

umxhasi-exampLes ifuna iDocker ukuba iqhube. Ukukhuphela kunye nemiyalelo yokufakela iDocker inokufumaneka apha https://docs.docker.com/engine/install.

Ukusebenzisa uMthengi ExampLes
Umxhasi-exampLes izixhobo zingasebenza nokuba imo esisiseko okanye ephucukileyo ukwakha exampIintlobo ezahlukeneyo zobunzima. Kuzo zombini ezi meko, kuyenzeka ukubaleka i exampkancinci ngoqwalaselo file equlathe iipropati ezongezelelweyo ukulungiselela ulungelelwaniso oluthe kratya lwecala lomxhasi.

Imowudi esisiseko
Kwimowudi yesiseko, i-metrics kunye nemethadatha yazo ihanjiswa ngokwahlukeneyo. Ukuza kuthi ga ngoku, umxhasi umamela isihloko ngasinye se-Kafka esikhoyo kunikezelo lwangaphandle kwaye uprinte ngokulula imiyalezo efunyenweyo kwi-console.
Ukuqala ukuphunyezwa kwe-ex esisisekoamples, baleka:

  • build.sh run-basic -kafka-brokers localhost:9092 -account ACCOUNT_SHORTNAME

apho ACCOUNT_SHORTNAME ligama elifutshane le-akhawunti ofuna ukufumana umlinganiso kuyo.
Ukuphelisa ukuphunyezwa kwe-example, cinezela Ctrl + C. (Kusenokubakho ulibaziseko oluncinane phambi kokuba uphumezo luyeke kuba umxhasi ulinda isiganeko sexesha lokuvala.)

Imo ePhezulu

PHAWULA: Iimetriki ziboniswa kuphela kubajongi be-HTTP abaqhuba kuMbindi woLawulo.

Uzalisekiso kwimowudi ephezulu ibonisa unxulumano phakathi kweemetrics kunye nemiyalezo yemetadata. Yi le
Umbulelo onokwenzeka kubukho kumyalezo ngamnye weemetrics wendawo ye-id yomsinga obhekiselele kumyalezo wemetadata ohambelanayo.
Ukuphumeza i examples, baleka:

  • build.sh run-advanced -kafka-brokers localhost:9092 -account ACCOUNT_SHORTNAME

apho ACCOUNT_SHORTNAME ligama elifutshane le-akhawunti ofuna ukufumana umlinganiso kuyo.
Ukuphelisa ukuphunyezwa kwe-example, cinezela Ctrl + C. (Kusenokubakho ulibaziseko oluncinane phambi kokuba uphumezo luyeke kuba umxhasi ulinda isiganeko sexesha lokuvala.)

Iisetingi ezongezelelweyo
Kuyenzeka ukubaleka i exampNgoqwalaselo olongezelelweyo lomxhasi usebenzisa i -config-file ukhetho lulandelwa ngu a file Igama eliqulathe iimpawu kwifom key=ixabiso.

  • build.sh run-advanced \
  • -kafka-brokers localhost:9092 \
  • -iakhawunti ACCOUNT_SHORTNAME \
  • -config-file client_config.properties

PHAWULA: Konke files echazwe kumyalelo ongentla kufuneka ibekwe kulawulo lwangoku kwaye ibhekiswe kusetyenziswa iindlela ezizalanayo kuphela. Oku kusebenza kuzo zombini -config-file Ingxoxo kunye nawo onke amangeno kuqwalaselo file oko kuchaza file iindawo.

Ukuqinisekisa uQinisekiso loMxumi waNgaphandle
Ukuqinisekisa uqinisekiso lomxhasi ongaphandle kweZiko loLawulo usebenzisa umxhasi-exampLes, yenza la manyathelo alandelayo:

Ukusuka kwiParagon eSebenzayo yoLawulo loQinisekiso lwencwadi eneenkcukacha, tshintshela kwi paa-streaming-api-client-exampifolda encinci:

cd paa-streaming-api-client-exampLes

  • Khuphela i-CA ingcambu yesatifikethi se-ca-cert kulawulo lwangoku.
  • Yenza i client.properties file ngomxholo olandelayo:

security.protocol=SASL_SSL ssl.ca.location=ca-cert
sasl.mechanism=PLAIN
sasl.igama lomsebenzisi={CLIENT_USER}
sasl.password={CLIENT_PASSWORD}

apho u- {CLIENT_USER} kunye no- {CLIENT_PASSWORD} ziziqinisekiso zomsebenzisi zomxhasi.

Baleka esisiseko exampngaphantsi:

  • thumela ngaphandle KAFKA_FQDN=
  • build.sh run-basic –kafka-brokers ${KAFKA_FQDN}:9093 \
  • –iakhawunti ACCOUNT_SHORTNAME
  • -config-file umxhasi.iipropati

apho ACCOUNT_SHORTNAME ligama elifutshane le-akhawunti ofuna ukufumana umlinganiso kuyo.

Qhuba phambili exampngaphantsi:

  • thumela ngaphandle KAFKA_FQDN=
  • build.sh run-advanced –kafka-brokers ${KAFKA_FQDN}:9093 \
  • –iakhawunti ACCOUNT_SHORTNAME
  • -config-file umxhasi.iipropati

Isihlomelo

Kwesi sihlomelo sichaza indlela yokwenza:

  • ivenkile yezitshixo file yokugcina isiqinisekiso se-SSL somthengisi we-Kafka
  • i-truststore file yokugcina iSiqinisekiso seSatifikethi esinguGunyaziwe (CA) ingcambu yesatifikethi esisetyenziselwe ukutyikitya isiqinisekiso somthengisi saseKafka.

Ukudala iSatifikethi se-Kafka Broker
Ukwenza iSatifikethi usebenzisa uGunyaziwe weSiqinisekiso sokwenyani (Kuyacetyiswa)
Kucetyiswa ukuba ufumane isiqinisekiso sokwenyani se-SSL kwi-CA ethembekileyo.
Nje ukuba wenze isigqibo nge-CA, khuphela isatifikethi sabo sengcambu ye-CA file kwindlela yakho njengoko kubonisiwe ngezantsi:

  • thumela ngaphandle CA_PATH=~/my-ca
  • mkdir ${CA_PATH}
  • cp ca-cert ${CA_PATH}

Dala uGunyaziwe weSatifikethi Sakho

PHAWULA: Ngokwesiqhelo kufuneka ube nesatifikethi sakho sityikitywe nguGunyaziwe weSatifikethi sokwenyani; bona icandelwana elandulelayo. Okulandelayo yi-ex njeample.

Apha senza isiqinisekiso sethu sengcambu seSatifikethi seSatifikethi (CA). file isebenza kangangeentsuku ezingama-999 (ayikhuthazwanga kwimveliso):

  • # Yenza uluhlu lokugcina i-CA
  • thumela ngaphandle CA_PATH=~/my-ca
  • mkdir ${CA_PATH}
  • # Yenza isatifikethi se-CA
  • openssl req -new -x509 -keyout ${CA_PATH}/ca-key -out ${CA_PATH}/ca-cert -days 999

Ukudala iTrasti yoMthengi
Ngoku unokwenza i-truststore file equlathe i-ca-cert eyenziwe ngasentla. Oku file iyakufunwa ngumxhasi we-Kafka oza kufikelela kwi-API yokuHamba:

  • keytool -keystore kafka.client.truststore.jks \
    • ilias CARoot \
    • umrhwebi -file ${CA_PATH}/ca-cert

Ngoku ekubeni isatifikethi se-CA sikwi-truststore, umxhasi uya kuthemba nasiphi na isatifikethi esisayinwe ngaso.
Kufuneka ukope ifayile file kafka.client.truststore.jks kwindawo eyaziwayo kwikhompyuter yakho yomxhasi kwaye yalathe kuyo kwizicwangciso.

Ukudala i-Keystore ye-Kafka Broker
Ukuvelisa isatifikethi se-SSL somthengisi we-Kafka kwaye emva koko ivenkile yezitshixo kafka.server.keystore.jks, qhubeka ngolu hlobo lulandelayo:

Ukuvelisa iSatifikethi se-SSL
Ngezantsi, i-999 yinani leentsuku zokuqinisekiswa kwe-keystore, kwaye i-FQDN ligama le-domain elifanelekileyo elipheleleyo lomxhasi (igama lomninimzi kawonkewonke le-node).

PHAWULA: Kubalulekile ukuba i-FQDN ihambelane negama lomninimzi elichanekileyo eliza kusetyenziswa ngumxhasi weKafka ukuxhuma kwiZiko loLawulo.

  • sudo mkdir -p /var/ssl/yabucala
  • sudo chown -R $USER: /var/ssl/yabucala
  • cd /var/ssl/yabucala
  • thumela ngaphandle FQDN= isitshixo se-keytool kafka.server.keystore.jks \
  • - umncedisi we-alias \
  • - ukusebenza 999 \
  • – genkey -keyalg RSA -ext SAN=dns:${FQDN}

Yenza isicelo sokusayina isatifikethi kwaye usigcine kwi file isicelo se-cert-server-enikwe igama:

  • isitshixo se-keytool kafka.server.keystore.jks \
    • - umncedisi we-alias \
    • - certreq \
    • – file cert-server-sicelo

Kufuneka uthumele ngoku file cert-server-sicelo kuGunyaziwe weSatifikethi sakho (CA) ukuba usebenzisa eyokwenyani. Emva koko baya kusibuyisela isatifikethi esisayiniweyo. Siza kubhekisa koku njenge-cert-server-esayinwe ngezantsi.

Ukusayina iSatifikethi se-SSL usebenzisa iSatifikethi se-CA esizidalileyo

PHAWULA: Kwakhona, ukusebenzisa i-CA yakho akukhuthazwa kwinkqubo yokuvelisa.

Sayina isatifikethi usebenzisa i-CA ngendlela ye file isicelo se-cert-server, esivelisa isatifikethi esisayiniweyo esisayinwe ngumncedisi. Bona ngezantsi; i-ca-password ligama lokugqitha elibekiweyo xa usenza isatifikethi se-CA.

  • cd / var / ssl / yabucala openssl x509 -req \
    • – CA ${CA_PATH}/ca-cert \
    • – CAkey ${CA_PATH}/ca-key \
    • - kwisicelo se-cert-server \
    • -ngaphandle kwe-cert-server-isayiniwe \
    • Iintsuku 999 -CAcreateserial \
    • -ipasi lokugqitha:{ca-password}

Ukurhweba ngaphandle kweSatifikethi esiSayiniweyo kwiSitorethi esingundoqo

Thatha ngaphandle isatifikethi sengcambu yeca-cert kwivenkile yezitshixo:

  • isitshixo se-keytool kafka.server.keystore.jks \
    • – alias ca-cert \
    • -ngenisa \
    • – file ${CA_PATH}/ca-cert

Thatha ngaphandle isatifikethi esisayiniweyo ekubhekiselwa kuso njenge-cert-server-signed:

  • isitshixo se-keytool kafka.server.keystore.jks \
    • - umncedisi we-alias \
    • -ngenisa \
    • – file cert-server-isayiniwe

I file kafka.server.keystore.jks kufuneka ikhutshelwe kwindawo eyaziwayo kumncedisi Wombindi Wolawulo, kwaye emva koko kubhekiswa kuyo kwi /etc/kafka/server.properties.

Ukusebenzisa i-Streaming API

KWELI CANDELO

  • Ngokubanzi | 20
  • Kafka Umxholo Amagama | 21
  • ExampLes of Ukusebenzisa i-API yokusakaza | 21

Ngokubanzi
Ustrimisho API ilanda zombini uvavanyo kunye nokubeka iliso idatha. Akunakwenzeka ukuba ukhethe enye yezi ndidi.
I-API yokusakaza ayilandeli idatha kwiimvavanyo ezisekelwe kwiskripthi (ezo zimelwe ngoxande endaweni yesiqwenga sejigsaw kwiZiko loLawulo lwe-GUI), njengeemvavanyo zokuvula inkonzo ye-Ethernet kunye neemvavanyo zokungafihli.

Kafka Umxholo Amagama
Amagama esihloko se-Kafka se-API yostrimisho ami ngolu hlobo lulandelayo, apho i-%s iligama elifutshane le-akhawunti yeZiko loLawulo (elibonisiweyo xa kuyilwa i-akhawunti):

  • const (
  • exporterName = "kafka"
  • metadataTopicTpl = “paa.public.accounts.%s.metadata” metricsTopicTpl = “paa.public.accounts.%s.metrics” )

ExampLes of Ukusebenzisa i-Streaming API
ExampLes zilandelayo zifumaneka kwi tarball paa-streaming-api-client-examples.tar.gz equlathwe ngaphakathi kuMbindi woLawulo wetarball.
Okokuqala, kukho i-ex esisisekoample ebonisa indlela iimetrics kunye nemetadata yazo zihanjiswa ngokwahlukeneyo kwaye ziprinte ngokulula imiyalezo efunyenweyo kwiconsole. Ungayiqhuba ngolu hlobo lulandelayo:

  • sudo ./build.sh run-basic –kafka-brokers localhost:9092 –account ACCOUNT_SHORTNAME

Kukwakho ne ex ephucukileyoample apho iimetrics kunye nemiyalezo yemetadata zinxulunyaniswa. Sebenzisa lo myalelo ukuwuqhuba:

  • sudo ./build.sh run-advanced –kafka-brokers localhost:9092 –account ACCOUNT_SHORTNAME

Kuya kufuneka usebenzise i-sudo ukuqhuba imiyalelo yeDocker efana nale ingasentla. Ngokuzithandela, unokulandela amanyathelo okufakela emva kweLinux ukuze ukwazi ukuqhuba imiyalelo yeDocker ngaphandle kwe-sudo. Ngeenkcukacha, yiya ku docs.docker.com/engine/install/linux-postinstall.

I-Juniper Networks, i-logo ye-Juniper Networks, i-Juniper, kunye ne-Junos ziimpawu zorhwebo ezibhalisiweyo ze-Juniper Networks, Inc. e-United States nakwamanye amazwe. Zonke ezinye iimpawu zorhwebo, amanqaku eenkonzo, amanqaku abhalisiweyo, okanye amanqaku eenkonzo abhalisiweyo yipropati yabanini bazo. I-Juniper Networks ayithathi xanduva kuyo nayiphi na into engachanekanga kolu xwebhu. I-Juniper Networks inelungelo lokutshintsha, ukuguqula, ukutshintshela, okanye ukuhlaziya olu papasho ngaphandle kwesaziso. Copyright © 2023 Juniper Networks, Inc. Onke amalungelo agciniwe.

Amaxwebhu / Izibonelelo

Juniper NETWORKS Streaming API Software [pdf] Isikhokelo somsebenzisi
Ukuhambisa iSoftware yeAPI, iSoftware yeAPI, iSoftware

Iimbekiselo

Shiya uluvo

Idilesi yakho ye-imeyile ayizupapashwa. Iindawo ezifunekayo ziphawulwe *