Juniper NETWORKS Ukusakaza API Software

Ulwazi Lomkhiqizo

Imininingwane

• Igama Lomkhiqizo: I-Paragon Active Assurance
• Inguqulo: 4.1
• Usuku Lokushicilela: 2023-03-15

Isingeniso:
Lo mhlahlandlela unikeza imiyalelo yokuthi ungayikhipha kanjani idatha ku-Paragon Active Assurance usebenzisa i-API yokusakaza yomkhiqizo. Iklayenti lokusakaza-bukhoma kanye ne-API kufakiwe ekufakweni kwe-Paragon Active Assurance, kodwa ukulungiselelwa okuthile kuyadingeka ngaphambi kokusebenzisa i-API. Inqubo yokumisa imbozwe esigabeni esithi "Ukulungiselela i-Streaming API".

Ilungiselela i-Streaming API:
Izinyathelo ezilandelayo ziveza inqubo yokumisa i-API yokusakaza-bukhoma:

Kuphelileview
I-Kafka iyinkundla yokusakaza imicimbi eyenzelwe ukuthwebula ngesikhathi sangempela nokugcinwa kwedatha emithonjeni ehlukahlukene. Inika amandla ukuphathwa kokusakaza imicimbi ngendlela esabalalisiwe, elinganisekayo, ebekezelela amaphutha, nevikelekile. Lo mhlahlandlela ugxile ekulungiseleleni i-Kafka ukuze isebenzise isici se-API yokusakaza ku-Paragon Active Assurance Control Center.

Amagama
I-Streaming API ivumela amaklayenti angaphandle ukuthi athole ulwazi lwamamethrikhi ku-Kafka. Amamethrikhi aqoqwe Abenzeli Bokuhlola ngesikhathi sokuhlolwa noma umsebenzi wokuqapha athunyelwa kusevisi yokusakaza. Ngemva kokucubungula, isevisi yokusakaza ishicilela lawa mamethrikhi ku-Kafka kanye nemethadatha eyengeziwe.

Inika amandla i-Streaming API
Ukuze unike amandla i-Streaming API, landela lezi zinyathelo:

1. Qalisa imiyalo elandelayo kuseva Yesikhungo Sokulawula usebenzisa i-sudo:

KAFKA_METRICS_ENABLED = Izinsizakalo ze-sudo ncc zangempela zinika amandla amamethrikhi we-timescaledb amasevisi we-sudo ncc aqala i-timecaledb metrics sudo ncc amasevisi aqala kabusha

Ukuqinisekisa Ukuthi I-API Yokusakaza Isebenza Esikhungweni Sokulawula:
Ukuze uqinisekise ukuthi uthola amamethrikhi ezihlokweni ezifanele ze-Kafka:

1. Faka insiza ye-kafkacat ngemiyalo elandelayo:
   sudo apt-get update
   sudo apt-get ukufaka i-kafkacat

2. Faka esikhundleni "i-akhawunti yami" ngegama elifushane le-akhawunti yakho ku-
   Isikhungo Sokulawula URL:
   thekelisa i-METRICS_TOPIC=paa.public.accounts.myaccount.metrics
   thekelisa METADATA_TOPIC=paa.public.accounts.myaccount.metadata

3. Qalisa umyalo olandelayo ku view amamethrikhi:
   kafkacat -b ${KAFKA_FQDN}:9092 -t ${METRICS_TOPIC} -C -e
   Qaphela: Umyalo ongenhla uzobonisa amamethrikhi.
4. Kuya view metadata, sebenzisa umyalo olandelayo:
   kafkacat -b ${KAFKA_FQDN}:9092 -t ${METADATA_TOPIC} -C -e

Qaphela: Umyalo ongenhla uzobonisa imethadatha, kodwa ngeke ubuyekeze njalo.

Iklayenti ExampLes
Okweklayenti exampimininingwane kanye nolunye ulwazi, bheka ekhasini 14 lemanuwali yomsebenzisi.

I-FAQ (Imibuzo Evame Ukubuzwa)

• Q: Iyini iParagon Active Assurance?
  A: I-Paragon Active Assurance umkhiqizo ohlinzeka ngamakhono okuqapha nokuhlola.
• Q: Iyini i-Streaming API?
  IMP: I-Streaming API iyisici ku-Paragon Active Assurance evumela amaklayenti angaphandle ukuthi abuyise ulwazi lwamamethrikhi ku-Kafka.
• Q: Ngiyenza kanjani isebenze i-Streaming API?
  IMP: Ukuze unike amandla i-Streaming API, landela izinyathelo ezivezwe esigabeni esithi “Ukunika amandla i-Streaming API” semanuwali yomsebenzisi.
• Q: Ngingaqinisekisa kanjani ukuthi i-Streaming API iyasebenza?
  A: Bheka esigabeni esithi “Ukuqinisekisa Ukuthi I-API Yokusakaza Isebenza Esikhungweni Sokulawula” ukuze uthole imiyalelo yokuthi ungaqinisekisa kanjani ukusebenza kwe-Streaming API.

Isingeniso

Lo mhlahlandlela uchaza indlela yokukhipha idatha ku-Paragon Active Assurance usebenzisa i-API yokusakaza yomkhiqizo.
I-API kanye neklayenti lokusakaza kufakiwe ekufakweni kwe-Paragon Active Assurance. Nokho, ukucushwa okuncane kuyadingeka ngaphambi kokuthi usebenzise i-API. Lokhu kufakwe "ku-Configuring the Streaming API" ekhasini 1 isahluko.

Kuphelileview
Lesi sahluko sichaza ukuthi ungayilungisa kanjani i-Streaming API ukuze uvumele ukubhalisa kumilayezo ye-metrics nge-Kafka.
pr
Ngezansi sizodlula:

• Uyenza kanjani i-Streaming API isebenze
• Uyilungiselela kanjani i-Kafka ukuthi ilalele amaklayenti angaphandle
• Uyilungiselela kanjani i-Kafka ukuthi isebenzise ama-ACL futhi usethe ukubethela kwe-SSL kumakhasimende ashiwo

Iyini i-Kafka?
I-Kafka iyinkundla yokusakaza imicimbi evumela ukuthwebula ngesikhathi sangempela kwedatha ethunyelwe kusuka emithonjeni ehlukahlukene yemicimbi (izinzwa, imininingwane egciniwe, amadivaysi eselula) ngendlela yokusakazwa kwemicimbi, kanye nokugcinwa okuqinile kwalokhu kusakazwa kwemicimbi ukuze kutholwe futhi kusetshenziswe kamuva.
Nge-Kafka kungenzeka ukuphatha ukusakazwa komcimbi ekupheleni-kuya-ekupheleni ngendlela esabalalisiwe, enwebekayo, enwebekayo, ebekezelela amaphutha, futhi evikelekile.

QAPHELA: I-Kafka ingacushwa ngezindlela eziningi ezahlukene futhi yakhelwe ukukala kanye nezinhlelo ezingafuneki. Lo mbhalo ugxile kuphela endleleni yokuwulungiselela ukuze usebenzise isici se-API yokusakaza esitholakala ku-Paragon Active Assurance Control Center. Ukuthola ukusetha okuthuthuke kakhulu sibheka imibhalo esemthethweni ye-Kafka: kafka.apache.org/26/documentation.html.

Amagama

• I-Kafka: Inkundla yokusakaza imicimbi.
• Isihloko se-Kafka: Ukuqoqwa kwemicimbi.
• Obhalisile/umthengi we-Kafka: Ingxenye ebhekele ukubuyiswa kwemicimbi egcinwe esihlokweni se-Kafka.
• Umthengisi we-Kafka: Iseva yesendlalelo sesitoreji seqoqo le-Kafka.
• I-SSL/TLS: I-SSL iphrothokholi evikelekile eyenzelwe ukuthumela imininingwane ngokuphephile nge-inthanethi. I-TLS ilandela i-SSL, eyethulwa ngo-1999.
• I-SASL: Uhlaka oluhlinzeka ngezindlela zokuqinisekisa umsebenzisi, ukuhlola ubuqotho bedatha, kanye nokubethela.
• Obhalisile we-API yokusakaza: Ingxenye ebhekele ukubuyisa imicimbi egcinwe ezihlokweni ezichazwe ku-Paragon Active Assurance futhi ehloselwe ukufinyelela kwangaphandle.
• Isiphathimandla sesitifiketi: Ibhizinisi elithenjwayo elikhipha futhi lihoxise izitifiketi zokhiye basesidlangalaleni.
• Isitifiketi sempande Yegunya Lesitifiketi: Isitifiketi sikakhiye osesidlangalaleni esibonisa iziphathimandla zesitifiketi.

Isebenza kanjani i-Streaming API
Njengoba kushiwo ngaphambili, i-Streaming API ivumela amaklayenti angaphandle ukuthi athole ulwazi mayelana namamethrikhi avela e-Kafka.

Wonke amamethrikhi aqoqwe Abenzeli Bokuhlola ngesikhathi sokuhlolwa noma umsebenzi wokuqapha athunyelwa kusevisi yokusakaza. Ngemva kwesigaba sokucubungula, isevisi yokusakaza ishicilela lawo mamethrikhi ku-Kafka kanye nemethadatha eyengeziwe.

Kafka Izihloko
I-Kafka inomqondo wezihloko lapho yonke idatha ishicilelwa khona. Ku-Paragon Active Assurance kunezihloko eziningi ze-Kafka ezitholakalayo; nokho, isethi encane kuphela yalezi eyenzelwe ukufinyelela kwangaphandle.
I-akhawunti ngayinye ye-Paragon Active Assurance ku-Control Center inezihloko ezimbili ezizinikele. Ngezansi, i-ACCOUNT igama elifushane le-akhawunti:

• paa.public.accounts.{ACCOUNT}.metrics
  • Yonke imilayezo yamamethrikhi ye-akhawunti enikeziwe ishicilelwe kulesi sihloko
  • Amanani amakhulu edatha
  • Imvamisa yokubuyekeza ephezulu
• paa.public.accounts.{ACCOUNT}.metadata
  • Iqukethe imethadatha ehlobene nedatha yamamethrikhi, ngokwesiboneloampukuhlola, ukuqapha noma Umenzeli Wokuhlola ohlotshaniswa namamethrikhi
  • Amanani amancane edatha
  • Imvamisa yokubuyekeza ephansi

Inika amandla i-Streaming API

QAPHELA: Le miyalo kufanele isetshenziswe kuseva Yesikhungo Sokulawula kusetshenziswa i-sudo.

Njengoba i-Streaming API yengeza i-overhead ku-Control Center, ayivunyelwe ngokuzenzakalelayo. Ukuze unike amandla i-API, kufanele siqale sinikeze amandla ukushicilelwa kwamamethrikhi ku-Kafka ekucushweni okuyinhloko. file:

• /etc/netrounds/netrounds.conf

KAFKA_METRICS_ENABLED = Iqiniso

ISEXWAYISO: Ukunika lesi sici amandla kungase kuthinte ukusebenza Kwesikhungo Sokulawula. Qiniseka ukuthi usilinganisele isibonelo sakho ngokufanele.

Okulandelayo, ukuze unike amandla ukudluliselwa kwalawa mamethrikhi esihlokweni esifanele se-Kafka:

• /etc/netrounds/metrics.yaml

ukusakaza-api: iqiniso

Ukuze unike amandla futhi uqale amasevisi e-Streaming API, sebenzisa:

• Izinsizakalo ze-sudo ncc zinika amandla amamethrikhi we-timescaledb
• Izinsizakalo ze-sudo ncc ziqala amamethrikhi we-timecaledb

Ekugcineni, qala kabusha amasevisi:

• izinsiza ze-sudo ncc ziqala kabusha

Ukuqinisekisa Ukuthi I-API Yokusakaza Isebenza Esikhungweni Sokulawula

QAPHELA: Le miyalo kufanele isetshenziswe kuseva Yesikhungo Sokulawula.

Manje ungaqinisekisa ukuthi uthola amamethrikhi esihlokweni esilungile se-Kafka. Ukuze wenze kanjalo, faka insiza ye-kafkacat:

• sudo apt-get update
• sudo apt-get ukufaka i-kafkacat

Uma unokuhlola noma ukuqapha okusebenza Kusikhungo Sokulawula, kufanele ukwazi ukusebenzisa i-kafkacat ukuze uthole amamethrikhi nemethadatha kulezi zihloko.
Faka esikhundleni i-akhawunti yami igama elifushane le-akhawunti yakho (lokhu okubonayo Esikhungweni sakho Sokulawula URL):

• thekelisa i-METRICS_TOPIC=paa.public.accounts.myaccount.metrics
• thekelisa METADATA_TOPIC=paa.public.accounts.myaccount.metadata

Manje kufanele ubone amamethrikhi ngokusebenzisa lo myalo:

• kafkacat -b ${KAFKA_FQDN}:9092 -t ${METRICS_TOPIC} -C -e

Kuya view metadata, sebenzisa umyalo olandelayo (qaphela ukuthi lokhu ngeke kubuyekezwe njalo):

• kafkacat -b ${KAFKA_FQDN}:9092 -t ${METADATA_TOPIC} -C -e

QAPHELA:
kafkacat”Iklayenti Examples” ekhasini 14

Lokhu kuqinisekisa ukuthi sine-API yokusakaza-bukhoma esebenzayo evela ngaphakathi kweSikhungo Sokulawula. Kodwa-ke, kungenzeka ukuthi ungathanda ukufinyelela idatha kusuka kuklayenti langaphandle kunalokho. Isigaba esilandelayo sichaza indlela yokuvula i-Kafka ukuze uthole ukufinyelela kwangaphandle.

Ivula i-Kafka yabasingathi bangaphandle

QAPHELA: Le miyalo kufanele isetshenziswe kuseva Yesikhungo Sokulawula.

Ngokuzenzakalelayo i-Kafka esebenza ku-Control Center ilungiselelwe ukuthi ilalele kuphela ku-localhost ukuze isetshenziswe ngaphakathi. Kungenzeka ukuthi uvule i-Kafka kumakhasimende angaphandle ngokulungisa izilungiselelo ze-Kafka.

Ixhuma ku-Kafka: I-Caveats

ISEXWAYISO: Sicela ufunde lokhu ngokucophelela, njengoba kulula ukungena ezindabeni zokuxhuma ne-Kafka uma ungayiqondi le mibono.

Ekusetheni Isikhungo Sokulawula esichazwe kulo mbhalo, kunomthengisi oyedwa we-Kafka.
Kodwa-ke, qaphela ukuthi umthengisi we-Kafka uhloselwe ukusebenza njengengxenye yeqoqo le-Kafka elingase libe nabathengi abaningi be-Kafka.
Uma uxhumeka kumthengisi we-Kafka, uxhumano lokuqala lusethwa iklayenti le-Kafka. Ngalokhu kuxhumana umthengisi we-Kafka uzobuyisela uhlu "lwabalaleli abakhangisiwe", okuwuhlu lwabathengi be-Kafka oyedwa noma ngaphezulu.
Lapho lithola lolu hlu, iklayenti le-Kafka lizonqamula, bese lixhuma kabusha komunye walaba balaleli abakhangisiwe. Abalaleli abakhangisiwe kufanele babe namagama omethuleli noma amakheli e-IP afinyeleleka kuklayenti le-Kafka, noma iklayenti lizohluleka ukuxhuma.
Uma ukubethela kwe-SSL kusetshenziswa, okuhlanganisa nesitifiketi se-SSL esiboshelwe egameni elithile lomethuleli, kubaluleke nakakhulu ukuthi iklayenti le-Kafka lithole ikheli elifanele ukuze lixhumeke kulo, njengoba kungenjalo ukuxhumeka kungase kwenqatshwe.
Funda kabanzi mayelana nabalaleli be-Kafka lapha: www.confluent.io/blog/kafka-listeners-explained

Ukubethela kwe-SSL/TLS
Ukuqinisekisa ukuthi amaklayenti athembekile kuphela avunyelwe ukufinyelela i-Kafka kanye ne-Streaming API, kufanele silungiselele okulandelayo:

• Ukuqinisekisa: Amaklayenti kufanele anikeze igama lomsebenzisi nephasiwedi ngoxhumano oluvikelekile lwe-SSL/TLS phakathi kweklayenti ne-Kafka.
• Ukugunyazwa: Amaklayenti aqinisekisiwe angenza imisebenzi elawulwa ama-ACL.

Nansi i-overview:

*) Ukuqinisekiswa kwegama lomsebenzisi/iphasiwedi kwenziwa esiteshini esibethelwe nge-SSL

Ukuze uqonde ngokugcwele ukuthi ukubethela kwe-SSL/TLS kusebenza kanjani e-Kafka, sicela ubheke imibhalo esemthethweni: docs.confluent.io/platform/current/kafka/encryption.html

Isitifiketi se-SSL/TLS sesiphelileview

QAPHELA: Kulesi sigatshana sizosebenzisa lawa magama alandelayo:

Isitifiketi: Isitifiketi se-SSL esisayinwe Iziphathimandla Zesitifiketi (CA). Umthengisi we-Kafka ngamunye unoyedwa.
Isitolo sikakhiye: Isitolo sikakhiye file egcina isitifiketi. Isitolo sikakhiye file iqukethe ukhiye oyimfihlo wesitifiketi; ngakho-ke, idinga ukugcinwa ngokuphepha.
I-Truststore: A file equkethe izitifiketi ze-CA ezithenjwayo.

Ukuze usethe ukuqinisekiswa phakathi kweklayenti langaphandle kanye ne-Kafka esebenza ku-Control Center, zombili izinhlangothi kufanele zibe nesitolo sokhiye esichazwe ngesitifiketi esihlobene esisayinwe Iziphathimandla Zesitifiketi (CA) kanye nesitifiketi sempande ye-CA.
Ngaphezu kwalokhu, iklayenti kufanele libe ne-truststore nesitifiketi sempande ye-CA.
Isitifiketi sempande ye-CA sijwayelekile kumthengisi we-Kafka kanye neklayenti le-Kafka.

Ukudala Izitifiketi Ezidingekayo
Lokhu kuvezwe “Esithasiselweni” ekhasini 17.

I-Kafka Broker SSL/TLS Configuration in Control Center

QAPHELA: Le miyalo kufanele isetshenziswe kuseva Yesikhungo Sokulawula.

QAPHELA: Ngaphambi kokuqhubeka, kufanele udale i-keystore equkethe isitifiketi se-SSL ngokulandela imiyalelo "ku-Appendix" ekhasini 17. Izindlela ezishiwo ngezansi zivela kule miyalo.
I-SSL keystore yi- file egcinwe kudiski nge file extension .jks.

Uma usunezitifiketi ezidingekayo ezidalelwe kokubili umthengisi we-Kafka kanye neklayenti le-Kafka elitholakalayo, ungaqhubeka ngokumisa umthengisi we-Kafka osebenza ku-Control Center. Udinga ukwazi okulandelayo:

• : Igama likasokhaya lomphakathi leSikhungo Sokulawula; lokhu kufanele kuxazululwe futhi kufinyeleleke amaklayenti e-Kafka.
• : Iphasiwedi ye-keystore enikeziwe uma udala isitifiketi se-SSL.
• futhi : Lawa amagama ayimfihlo ofuna ukuwasethela umlawuli kanye nomsebenzisi weklayenti ngokulandelanayo. Qaphela ukuthi ungangeza abasebenzisi abaningi, njengoba kuboniswe ku-example.

Hlela noma wengeze (ngokufinyelela kwe-sudo) izakhiwo ezingezansi kokuthi /etc/kafka/server.properties, ufake okuguquguqukayo okungenhla njengoba kukhonjisiwe:

ISEXWAYISO: Ungasusi i-PLAINTEXT://localhost:9092; lokhu kuzophula ukusebenza Kwesikhungo Sokulawula njengoba amasevisi angaphakathi ngeke akwazi ukuxhumana.

• …
• # Amakheli alalelwa ngumthengisi we-Kafka.
• abalaleli=PLAINTEXT://localhost:9092,SASL_SSL://0.0.0.0:9093
• # Laba ngabasingathi abakhangiswa emuva kunoma yiliphi iklayenti elixhumayo.
• advertised.listeners=PLAINTEXT://localhost:9092,SASL_SSL:// :9093…
• ####### UKUQINISEKA OKUZIFAKAYO
• # UKULUNGISWA kwe-SSL
• ssl.endpoint.identification.algorithm=
  ssl.keystore.location=/var/ssl/private/kafka.server.keystore.jks
• ssl.keystore.password=
• ssl.key.password=
• ssl.client.auth=none
• ssl.protocol=TLSv1.2
• # Ukucushwa kwe-SASL
• sasl.enabled.mechanisms=PLAIN
• igama lomsebenzisi = "admin" \
• iphasiwedi=” ” \
• umsebenzisi_umlawuli=” ” \
• umsebenzisi_client=” ”;
• # QAPHELA abasebenzisi abengeziwe bangangezwa ne-user_ =
• # Ukugunyazwa, vula ama-ACL
• authorizer.class.name=kafka.security.authorizer.AclAuthorizer super.users=User:admin

Ukusetha Uhlu Lokulawula Ukufinyelela (ACLs)

Ivula ama-ACL ku-localhost

ISEXWAYISO: Kufanele siqale simise ama-ACL okusingatha indawo, ukuze i-Control Center ngokwayo isakwazi ukufinyelela i-Kafka. Uma lokhu kungenziwa, izinto zizophuka.

• -authorizer kafka.security.authorizer.AclAuthorizer \
• -authorizer-properties zookeeper.connect=localhost:2181 \
• -engeza -vumela-oyinhloko Umsebenzisi: ANONYMOUS -vumela-umsingathi 127.0.0.1 -iqoqo
• /usr/lib/kafka/bin/kafka-acls.sh \
• -authorizer kafka.security.authorizer.AclAuthorizer \
• -authorizer-properties zookeeper.connect=localhost:2181 \
• -engeza -vumela-oyinhloko Umsebenzisi: ANONYMOUS -vumela-umsingathi 127.0.0.1 -isihloko '*'
• /usr/lib/kafka/bin/kafka-acls.sh \
• -authorizer kafka.security.authorizer.AclAuthorizer \
• -authorizer-properties zookeeper.connect=localhost:2181 \
• -engeza -vumela-oyinhloko Umsebenzisi: ANONYMOUS -vumela-umsingathi 127.0.0.1 -iqembu '*'

Sibe sesidinga ukunika amandla ama-ACL ukuze afinyelele ekufundeni kuphela, ukuze abasebenzisi bangaphandle bavunyelwe ukufunda izihloko ze-paa.public.*.

### ACLs okufakiwe kubasebenzisi abangaziwa /usr/lib/kafka/bin/kafka-acls.sh \

QAPHELA: Ukuze uthole olunye ulawulo oluhle, sicela ubheke imibhalo esemthethweni ye-Kafka.

• -authorizer kafka.security.authorizer.AclAuthorizer \
• -authorizer-properties zookeeper.connect=localhost:2181 \
• -engeza -vumela-uMsebenzisi oyinhloko:* -ukusebenza funda -ukusebenza kuchaza \ -iqembu 'NCC'
• /usr/lib/kafka/bin/kafka-acls.sh \
• -authorizer kafka.security.authorizer.AclAuthorizer \
• -authorizer-properties zookeeper.connect=localhost:2181 \
• -engeza -vumela-oyinhloko Umsebenzisi:* -ukusebenza funda -ukusebenza kuchaza \ -isihloko paa.public. -insiza-iphethini-uhlobo lwesiqalo

Uma usuqedile ngalokhu, udinga ukuqala kabusha izinsiza:

### ACLs okufakiwe kubasebenzisi bangaphandle /usr/lib/kafka/bin/kafka-acls.sh \

• izinsiza ze-sudo ncc ziqala kabusha

Ukuze uqinisekise ukuthi iklayenti lingakwazi ukusungula uxhumano oluvikelekile, sebenzisa umyalo olandelayo kongaphandle
ikhompuyutha yeklayenti (hhayi kuseva Yesikhungo Sokulawula). Ngezansi, i-PUBLIC_HOSTNAME igama likasokhaya Lesikhungo Sokulawula:

• openssl s_client -debug -xhuma ${PUBLIC_HOSTNAME}:9093 -tls1_2 | grep "Ukuxoxisana Kabusha Okuvikelekile kusekelwa"

Ekuphumeni komyalo kufanele ubone isitifiketi seseva kanye nokulandelayo:

• Ukuxoxisana Kabusha Okuvikelekile kusekelwa

Ukuqinisekisa ukuthi izinsiza zangaphakathi zinikezwe ukufinyelela kuseva ye-Kafka, sicela uhlole ilogu elandelayofiles:

• /var/log/kafka/server.log
• /var/log/kafka/kafka-authorizer.log

Ukuqinisekisa Ukuxhumana Kweklayenti Langaphandle

kafkacat

QAPHELA: Le miyalo kufanele isetshenziswe kukhompuyutha yeklayenti (hhayi kuseva Yesikhungo Sokulawula).
QAPHELA: Ukuze ubonise ulwazi lwamamethrikhi, qinisekisa ukuthi okungenani imonitha eyodwa iyasebenza ku-Control Center.

Ukuze uqinisekise futhi uqinisekise ukuxhumeka njengeklayenti langaphandle, kungenzeka ukusebenzisa insiza ye-kafkacat efakwe esigabeni “Ukuqinisekisa Ukuthi I-API Yokusakaza Isebenza Esikhungweni Sokulawula” ekhasini lesi-4.
Yenza lezi zinyathelo ezilandelayo:

QAPHELA: Ngezansi, u-CLIENT_USER umsebenzisi oshiwo ngaphambilini ku- file /etc/kafka/server.properties in Control Center: okungukuthi, umsebenzisi_client kanye nephasiwedi ebekwe lapho.
Isitifiketi sempande ye-CA esisetshenziselwa ukusayina isitifiketi se-SSL sohlangothi lweseva kufanele sibe khona kuklayenti.

Dala a file client.properties nokuqukethwe okulandelayo:

• security.protocol=SASL_SSL
• ssl.ca.location={PATH_TO_CA_CERT}
• sasl.mechanisms=PLAIN
• sasl.username={CLIENT_USER}
• sasl.password={CLIENT_PASSWORD}

lapho

• I-{PATH_TO_CA_CERT} indawo yesitifiketi sempande ye-CA esetshenziswa umthengisi we-Kafka
• U-{CLIENT_USER} kanye no-{CLIENT_PASSWORD} yiziqinisekiso zomsebenzisi zeklayenti.

Qalisa umyalo olandelayo ukuze ubone umlayezo odliwe yi-kafkacat:

• thekelisa i-KAFKA_FQDN=
• thekelisa i-METRICS_TOPIC=paa.public.accounts. .amamethrikhi
• kafkacat -b ${KAFKA_FQDN}:9093 -F client.properties -t ${METRICS_TOPIC} -C -e

lapho okuthi {METRICS_TOPIC} kuyigama lesihloko se-Kafka esinesiqalo esithi “paa.public.”.

QAPHELA: Izinguqulo ezindala ze-kafkacat azinikezi inketho -F yokufunda izilungiselelo zeklayenti ku-a file. Uma usebenzisa inguqulo enjalo, kufanele unikeze izilungiselelo ezifanayo ezivela emugqeni womyalo njengoba kukhonjisiwe ngezansi.

i-kafkacat -b ${KAFKA_FQDN}:9093 \

• X security.protocol=SASL_SSL \
• X ssl.ca.location={PATH_TO_CA_CERT} \
• X sasl.mechanisms=PLAIN \
• X sasl.username={CLIENT_USER} \
• X sasl.password={CLIENT_PASSWORD} \
• t ${METRICS_TOPIC} -C -e

Ukuze ulungise ukuxhumana, ungasebenzisa inketho -d:

Lungisa ukuxhumana kwabathengi
kafkacat -d umthengi -b ${KAFKA_FQDN}:9093 -F client.properties -t ${METRICS_TOPIC} -C -e
# Lungisa iphutha lokuxhumana nomthengisi
kafkacat -d broker -b ${KAFKA_FQDN}:9093 -F client.properties -t ${METRICS_TOPIC} -C -e

Qiniseka ukuthi ubhekisela kumadokhumenti omtapo wezincwadi weklayenti le-Kafka osebenzayo, njengoba izakhiwo zingahluka kulezo eziku-client.properties.

Ifomethi yomlayezo
Imilayezo esetshenziselwa izihloko zamamethrikhi nemethadatha ihlelwa ngefomethi ye-Protocol buffers (protobuf) (bona developers.google.com/protocol-buffers). Izikimu zale milayezo zihambisana nefomethi elandelayo:

I-Metrics Protobuf Schema

• i-syntax = “proto3”;
• ngenisa “google/protobuf/timestamp.proto”;
• iphakheji paa.streamingapi;
• inketho go_package = “.;paa_streamingapi”;
• umlayezo we-Metrics {
• google.protobuf.Timestamp izikhathiamp = 1;
• imephu amanani = 2;
• int32 stream_id = 3;
• }
• /**
• * Inani lemethrikhi lingaba inombolo ephelele noma i-float.
• */
• umlayezo we-MetricValue {
• olunye lohlobo {
• int64 int_val = 1;
• iflothi_val = 2;
• }
• }

I-Metadata Protobuf Schema

• i-syntax = “proto3”;
• iphakheji paa.streamingapi;
• inketho go_package = “.;paa_streamingapi”;
• Imethadatha yomlayezo {
• int32 stream_id = 1;
• string stream_name = 2;
• imephu tags = 13;
• }

Iklayenti ExampLes

QAPHELA: Le miyalo ihloselwe ukusebenza kwiklayenti langaphandle, isiboneloampsebenzisa i-laptop yakho noma okufanayo, hhayi ku-Control Center.
QAPHELA: Ukuze kuboniswe ulwazi lwamamethrikhi, qiniseka ukuthi okungenani imonitha eyodwa iyasebenza Esikhungweni Sokulawula.

I-tarball Yesikhungo Sokulawula ihlanganisa ingobo yomlando i-paa-streaming-api-client-examples.tar.gz (iklayenti-examples), equkethe i-exampIskripthi se-Python esibonisa indlela yokusebenzisa i-Streaming API.

Ukufaka kanye Nokumisa Iklayenti ExampLes
Uthola iklayenti-exampkufolda ye-Paragon Active Assurance Control Center:

• thekelisa CC_VERSION=4.1.0
• cd ./paa-control-center_${CC_VERSION}
• ls paa-streaming-api-client-exampkancane*

Ukufaka iklayenti-exampkukhompyutha yakho yeklayenti yangaphandle, qhubeka kanje:

• # Dala inkomba yokukhipha okuqukethwe kweklayenti exampi-tarball
• mkdir paa-streaming-api-client-exampLes
• # Khipha okuqukethwe kweklayenti exampi-tarball
• i-tar xzf paa-streaming-api-client-examples.tar.gz -C paa-streaming-api-client-exampLes
• # Iya kunkomba esanda kwakhiwa
• cd paa-streaming-api-client-exampLes

iklayenti-isibampi-les idinga ukuthi i-Docker isebenze. Imiyalo yokulandwa kanye nokufaka i-Docker ingatholakala kokuthi https://docs.docker.com/engine/install.

Ukusebenzisa iKlayenti ExampLes
Iklayenti-exampLes amathuluzi angasebenza kumodi eyisisekelo noma ethuthukisiwe yokwakha i-exampubunkimbinkimbi obuhlukahlukene. Kuzo zombili izimo, kungenzeka futhi ukusebenzisa i-exampkancane ngokucushwa file equkethe izakhiwo ezengeziwe zokwenziwa ngokwezifiso okwengeziwe kohlangothi lweklayenti.

Imodi Eyisisekelo
Kumodi eyisisekelo, amamethrikhi kanye nemethadatha yakhona kusakazwa ngokuhlukene. Kulokhu, iklayenti lilalela isihloko ngasinye se-Kafka esitholakalayo ukuze sifinyeleleke ngaphandle futhi limane liphrinte imilayezo etholiwe kukhonsoli.
Ukuze uqale ukubulawa kwe-ex eyisisekeloamples, run:

• build.sh run-basic –kafka-brokers localhost:9092 –account ACCOUNT_SHORTNAME

lapho i-ACCOUNT_SHORTNAME kuyigama elifushane le-akhawunti ofuna ukuthola kuyo amamethrikhi.
Ukumisa ukukhishwa kwe-example, cindezela u-Ctrl + C. (Kungase kube khona ukubambezeleka okuncane ngaphambi kokuthi kume ukusebenza ngoba iklayenti lilinda umcimbi wokuvala isikhathi.)

Imodi Ethuthukisiwe

QAPHELA: Amamethrikhi aboniswa kuphela kumamonitha e-HTTP asebenza ku-Control Center.

Ukusebenzisa kumodi ethuthukisiwe kubonisa ukuhlobana phakathi kwamamethrikhi nemilayezo yemethadatha. Lokhu
okungenzeka sibonga ukuba khona kumlayezo wemethrikhi ngamunye wenkambu ye-id yokusakaza ebhekisela kumlayezo wemethadatha ohambisanayo.
Ukuze usayine i-ex ethuthukisiweamples, run:

• build.sh run-advanced –kafka-brokers localhost:9092 –account ACCOUNT_SHORTNAME

lapho i-ACCOUNT_SHORTNAME kuyigama elifushane le-akhawunti ofuna ukuthola kuyo amamethrikhi.
Ukumisa ukukhishwa kwe-example, cindezela u-Ctrl + C. (Kungase kube khona ukubambezeleka okuncane ngaphambi kokuthi kume ukusebenza ngoba iklayenti lilinda umcimbi wokuvala isikhathi.)

Izilungiselelo Ezengeziwe
Kungenzeka ukugijima i-exampkancane ngokucushwa okwengeziwe kweklayenti kusetshenziswa i- -config-file inketho elandelwa ngu-a file Igama eliqukethe izakhiwo efomini elithi key=value.

• build.sh run-advanced \
• -kafka-brokers localhost:9092 \
• -i-akhawunti ACCOUNT_SHORTNAME \
• -config-file client_config.properties

QAPHELA: Konke fileOkubalulwe emyalweni ongenhla kufanele kube kuhla lwemibhalo lwamanje futhi kubhekiselwe kusetshenziswa izindlela ezihlobene kuphela. Lokhu kusebenza kokubili ku- -config-file i-agumenti nakho konke okufakiwe ekucushweni file ezichazayo file izindawo.

Ukuqinisekisa Ukuqinisekiswa Kwekhasimende Langaphandle
Ukuze uqinisekise ukuqinisekiswa kweklayenti ngaphandle kweSikhungo Sokulawula usebenzisa i-client-examples, yenza lezi zinyathelo ezilandelayo:

Kusuka kufolda ye-Paragon Active Assurance Control Center, shintshela ku-paa-streaming-api-client-exampifolda encane:

cd paa-streaming-api-client-exampLes

• Kopisha isitifiketi sempande ye-CA kuhla lwemibhalo lwamanje.
• Dala i-client.properties file nokuqukethwe okulandelayo:

security.protocol=SASL_SSL ssl.ca.location=ca-cert
sasl.mechanism=PLAIN
sasl.username={CLIENT_USER}
sasl.password={CLIENT_PASSWORD}

lapho u-{CLIENT_USER} kanye no-{CLIENT_PASSWORD} kuyiziqinisekiso zomsebenzisi zeklayenti.

Qalisa i-ex eyisisekeloampkancane:

• thekelisa i-KAFKA_FQDN=
• build.sh run-basic –kafka-brokers ${KAFKA_FQDN}:9093 \
• –i-akhawunti ACCOUNT_SHORTNAME
• -config-file izakhiwo.zeklayenti

lapho i-ACCOUNT_SHORTNAME kuyigama elifushane le-akhawunti ofuna ukuthola kuyo amamethrikhi.

Qalisa i-ex ethuthukisiweampkancane:

• thekelisa i-KAFKA_FQDN=
• build.sh run-advanced –kafka-brokers ${KAFKA_FQDN}:9093 \
• –i-akhawunti ACCOUNT_SHORTNAME
• -config-file izakhiwo.zeklayenti

Isithasiselo

Kulesi sithasiselo sichaza indlela yokudala:

• i-keystore file ukuze ugcine isitifiketi se-SSL somthengisi we-Kafka
• i-truststore file ukuze kugcinwe isitifiketi sempande Yesigunyazo Sesitifiketi (CA) esisetshenziselwa ukusayina isitifiketi somthengisi we-Kafka.

Ukudala Isitifiketi Se-Kafka Broker
Ukudala Isitifiketi Ngokusebenzisa Iziphathimandla Zesitifiketi Sangempela (Kunconyiwe)
Kunconywa ukuthi uthole isitifiketi sangempela se-SSL esivela ku-CA ethembekile.
Uma usunqume nge-CA, kopisha i-ca-cert yesitifiketi sabo sempande ye-CA file endleleni yakho njengoba kukhonjisiwe ngezansi:

• thekelisa i-CA_PATH=~/my-ca
• mkdir ${CA_PATH}
• cp ca-cert ${CA_PATH}

Dala Isiphathimandla Sakho Sesitifiketi

QAPHELA: Ngokujwayelekile kufanele isitifiketi sakho sisayinwe yi-real Certificate Authority; bheka isigatshana esandulele. Okulandelayo yi-ex njeample.

Lapha sakha esethu isitifiketi sempande Yesitifiketi Segunya (CA). file isebenza izinsuku ezingama-999 (akunconyiwe ekukhiqizeni):

• # Dala inkomba yokugcina i-CA
• thekelisa i-CA_PATH=~/my-ca
• mkdir ${CA_PATH}
• # Khiqiza isitifiketi se-CA
• openssl req -new -x509 -keyout ${CA_PATH}/ca-key -out ${CA_PATH}/ca-cert -days 999

Ukudala i-Client Truststore
Manje ungakha i-truststore file equkethe i-ca-cert ekhiqizwe ngenhla. Lokhu file izodingeka iklayenti le-Kafka elizofinyelela i-Streaming API:

• keytool -keystore kafka.client.truststore.jks \
  • alias CARoot \
  • importcert -file ${CA_PATH}/ca-cert

Manje njengoba isitifiketi se-CA siku-truststore, iklayenti lizothemba noma yisiphi isitifiketi esisayinwe ngaso.
Kufanele ukopishe ifayela file kafka.client.truststore.jks endaweni eyaziwayo kukhompuyutha yakho yeklayenti bese ukhomba kuyo kuzilungiselelo.

Ukudala i-Keystore ye-Kafka Broker
Ukuze ukhiqize isitifiketi se-SSL somthengisi we-Kafka kanye nesitolo sokhiye kafka.server.keystore.jks, qhubeka kanje:

Ukukhiqiza Isitifiketi se-SSL
Ngezansi, 999 inombolo yezinsuku zokuqinisekiswa kwe-keystore, futhi i-FQDN igama lesizinda elifaneleke ngokugcwele leklayenti (igama lomsingathi womphakathi lenodi).

QAPHELA: Kubalulekile ukuthi i-FQDN ifane negama lomethuleli elinembile iklayenti le-Kafka elizolisebenzisa ukuze lixhume ku-Control Center.

• sudo mkdir -p /var/ssl/private
• sudo chown -R $USER: /var/ssl/private
• cd /var/ssl/private
• thekelisa i-FQDN= keytool -keystore kafka.server.keystore.jks \
• - iseva ye-alias \
• - ukufaneleka 999 \
• – genkey -keyalg RSA -ext SAN=dns:${FQDN}

Dala isicelo sokusayina isitifiketi futhi usigcine ku- file okuqanjwe i-cert-server-sicelo:

• keytool -keystore kafka.server.keystore.jks \
  • - iseva ye-alias \
  • - certreq \
  • – file isicelo-cert-server

Manje kufanele uthumele i- file isicelo se-cert-server-kuMphathi Wesitifiketi sakho (CA) uma usebenzisa esangempela. Bazobe sebebuyisela isitifiketi esisayiniwe. Sizobhekisela kulokhu njenge-cert-server-esayinwe ngezansi.

Ukusayina Isitifiketi Se-SSL Ukusebenzisa Isitifiketi Se-CA Esizidalele Wena

QAPHELA: Futhi, ukusebenzisa i-CA yakho akunconywa ohlelweni lokukhiqiza.

Sayina isitifiketi usebenzisa i-CA ngokusebenzisa i file cert-server-request, ekhiqiza isitifiketi esisayiniwe esisayinwe yi-cert-server-. Bona ngezansi; I-ca-password igama eliyimfihlo elibekwe lapho udala isitifiketi se-CA.

• cd /var/ssl/private openssl x509 -req \
  • – CA ${CA_PATH}/ca-cert \
  • – CAkey ${CA_PATH}/ca-key \
  • - ku-cert-server-sicelo \
  • - ngaphandle kwe-cert-server-signed \
  • - izinsuku 999 -CAcreateserial \
  • – passin pass:{ca-password}

Ukungenisa Isitifiketi Esisayiniwe ku-Keystore

Ngenisa isitifiketi sempande ye-ca-cert ku-keystore:

• keytool -keystore kafka.server.keystore.jks \
  • - isibizo se-ca-cert \
  • -ngenisa \
  • – file ${CA_PATH}/ca-cert

Ngenisa isitifiketi esisayiniwe esibizwa ngokuthi i-cert-server-signed:

• keytool -keystore kafka.server.keystore.jks \
  • - iseva ye-alias \
  • -ngenisa \
  • – file i-cert-server-signed

I file kafka.server.keystore.jks kufanele ikopishelwe endaweni eyaziwayo kuseva Yesikhungo Sokulawula, bese kubhekiselwa kuyo kokuthi /etc/kafka/server.properties.

Ukusebenzisa i-Streaming API

KULESI SIGABA

• Okuvamile | 20
• Kafka Topic Names | 21
• Exampizifundo zokusebenzisa i-Streaming API | 21

Okujwayelekile
I-API yokusakaza ilanda kokubili idatha yokuhlola neyokuqapha. Akwenzeki ukuhlukanisa esisodwa salezi zigaba.
I-API yokusakaza ayilandi idatha ekuhlolweni okusekelwe kuskripthi (lezo ezimelelwe unxande esikhundleni socezu lwejigsaw ku-GUI Yesikhungo Sokulawula), njengokuhlolwa kokuvula isevisi ye-Ethernet nokuhlola obala.

Kafka Isihloko Amagama
Amagama esihloko se-Kafka se-API yokusakaza ami kanje, lapho %s kuyigama elifushane le-akhawunti Yesikhungo Sokulawula (elikhonjiswa lapho kwakhiwa i-akhawunti):

• const (
• exporterName = "kafka"
• metadataTopicTpl = “paa.public.accounts.%s.metadata” metricsTopicTpl = “paa.public.accounts.%s.metrics” )

ExampOkuncane Kokusebenzisa i-Streaming API
I-exampOkulandelayo kutholakala ku-tarball paa-streaming-api-client-examples.tar.gz equkethwe ngaphakathi kwe-tarball Yesikhungo Sokulawula.
Okokuqala, kukhona i-ex eyisisekeloample ebonisa ukuthi amamethrikhi kanye nemethadatha yakhona kusakazwa kanjani ngokuhlukene futhi kumane kuphrinte imilayezo etholiwe kukhonsoli. Ungayiqhuba kanje:

• sudo ./build.sh run-basic –kafka-brokers localhost:9092 –account ACCOUNT_SHORTNAME

Kukhona ne-ex ethuthuke kakhuluample lapho amamethrikhi nemilayezo yemethadatha kuhlotshaniswa khona. Sebenzisa lo myalo ukuyiqhuba:

• sudo ./build.sh run-advanced –kafka-brokers localhost:9092 –account ACCOUNT_SHORTNAME

Udinga ukusebenzisa i-sudo ukusebenzisa imiyalo ye-Docker efana nale engenhla. Ngokuzithandela, ungalandela izinyathelo zokufakwa ngemuva kwe-Linux ukuze ukwazi ukusebenzisa imiyalo ye-Docker ngaphandle kwe-sudo. Ukuze uthole imininingwane, vakashela ku docs.docker.com/engine/install/linux-postinstall.

I-Juniper Networks, ilogo ye-Juniper Networks, i-Juniper, ne-Junos yizimpawu zokuthengisa ezibhalisiwe ze-Juniper Networks, Inc. e-United States nakwamanye amazwe. Zonke ezinye izimpawu zokuthengisa, izimpawu zesevisi, amamaki abhalisiwe, noma izimpawu zesevisi ezibhalisiwe ziyimpahla yabanikazi bazo. IJuniper Networks ayinaso isibopho sanoma yikuphi ukungalungi kulo mbhalo. I-Juniper Networks igodla ilungelo lokushintsha, ukulungisa, ukudlulisa, noma ukubuyekeza lokhu kushicilelwa ngaphandle kwesaziso. Copyright © 2023 Juniper Networks, Inc. Wonke amalungelo agodliwe.

Amadokhumenti / Izinsiza

Juniper NETWORKS Ukusakaza API Software [pdf] Umhlahlandlela Womsebenzisi I-Streaming API Software, API Software, Software

Izithenjwa

• Imaniwali yosebenzisayo