Reply
Expert Contributor
Posts: 90
Registered: ‎10-04-2017

using topic name wildcards in sentry enabled kafka

Hi,

 

I'm using CDH 5.11.2. It has sentry enabled kafka and we would like to use wildcards in topic names  which is not available as per the documentation.Do we have any workaround for this?

Expert Contributor
Posts: 133
Registered: ‎01-08-2018

Re: using topic name wildcards in sentry enabled kafka

Unfortunatelly there is no workaround.

We have to wait for

https://cwiki.apache.org/confluence/display/KAFKA/KIP-37+-+Add+Namespaces+to+Kafka

https://issues.apache.org/jira/browse/KAFKA-2630

 

Which will help us to solve this issue.

Expert Contributor
Posts: 133
Registered: ‎01-08-2018

Re: using topic name wildcards in sentry enabled kafka

Great news. I came across the following which is very helpfull to me and thought I should share it.

 

https://www.cloudera.com/documentation/kafka/latest/topics/kafka_new_features.html#xd_583c10bfdbd326...

 

In few words, Cloudera Kafka 3 supports wildcard in TOPIC and CONSUMERGROUPS with CDH 5.14.1.

Expert Contributor
Posts: 90
Registered: ‎10-04-2017

Re: using topic name wildcards in sentry enabled kafka

@GeKas Thats great.

Expert Contributor
Posts: 90
Registered: ‎10-04-2017

Re: using topic name wildcards in sentry enabled kafka

Hi @GeKas 

 

This is still not supported in the CDK3.0 and CDH5.14.2. Its being tracked under CDH-61471.

Expert Contributor
Posts: 133
Registered: ‎01-08-2018

Re: using topic name wildcards in sentry enabled kafka

[ Edited ]

@RajeshBodollaunfortunatelly you are correct and I have realized the hard way.

I have upgraded the CDH during the previous week and this week I was trying to configure some wildcard topics only to find out that this is not possible.

 

When I wrote the previous post, it was clearly mentioned in the release notes, that is supported. I had copied this part which was saying:

* Wildcard usage for Kafka-Sentry components
You can specify an asterisk (*) in a Kafa-Sentry command for the TOPIC component of a privilege to refer to any topic in the privilege. Supported with CDH 5.14.1.
 
You can also use an asterisk (*) in a Kafka-Sentry command for the CONSUMERGROUPS component of a privilege to refer to any consumer groups in the privilege. This is useful when used with Spark Streaming, where a generated group.id may be needed. Supported with CDH 5.14.1.

Now, this part is gone from the documentation.

 

I apologize that I have not tested it before.

 

But as you can see in http://archive.cloudera.com/cdh5/cdh/5/sentry-1.5.1-cdh5.14.2.CHANGES.txt it is still mentioned as commited:

commit e9efe1b3b38912af8799d37a67679295d98ebe63
Author: amishra <amishra@cloudera.com>
Date:   Thu Feb 8 15:16:15 2018 +0530

    CDH-57131 CDH-61471: Add consumergroup and topic wildcard for Kafka privilege validation
    
    Change-Id: I19cc4b8b047eac668721e85131287f56b6f66fcd
    Reviewed-on: http://gerrit.sjc.cloudera.com:8080/30142
    Tested-by: Jenkins User
    Reviewed-by: Viktor Somogyi <viktor.somogyi@cloudera.com>
    Reviewed-by: Sergio Pena <sergio.pena@cloudera.com>

 

Expert Contributor
Posts: 90
Registered: ‎10-04-2017

Re: using topic name wildcards in sentry enabled kafka

Hi @GeKas

 

My case is worst, we have upgraded 5 clusters to 5.14.2 in hope of having this feature but its gone!!!! the bug is fixed as per cloudera but is not available in any version yet. The targeted release for this is 5.15.x and CDK3.1.0 .

Expert Contributor
Posts: 90
Registered: ‎10-04-2017

Re: using topic name wildcards in sentry enabled kafka

Just to add to it, you will be able to use * to allow access to all consumer groups and/or topics but you won't be able use the wildcard to specify a subset of either e.g. test_* .

Announcements