question Kafka policies created in Ranger are not becoming active in Support Questions

Kafka policies created in Ranger are not becoming active

Hadoop16 — Sun, 30 Mar 2025 21:17:41 GMT

Kafka policies created in Ranger are getting downloaded but not becoming active. Using Apache Ranger 2.6 and Apache Kafka 3.6. Couldn't find any specific errors related to this issue.

Ranger and Kafka are configured with LDAP and no kerberos. What could be the possible issue? Any help is appreciated!

Ranger policies for HDFS and Hive works fine.

Below are the ldap and ranger configs in Kafka

authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer

sasl.enabled.mechanisms=PLAIN

listener.name.sasl_plaintext.sasl.enabled.mechanisms=PLAIN
listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required;
listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler

ldap.java.naming.provider.url=ldap://<ldap_host>:389
ldap.java.naming.security.authentication=simple
ldap.java.naming.security.principal=CN=<bind_user>,OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.java.naming.security.credentials=

ldap.user.name.attribute=sAMAccountName
ldap.user.object.class=user
ldap.user.search.base=OU=User_Accounts,DC=hadoop,DC=hdp,DC=com;OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com

#server properties
ldap.java.naming.provider.url=ldap://<ldap_host>:389
ldap.java.naming.security.authentication=simple
ldap.java.naming.security.principal=CN=<bind_dn>,OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.java.naming.security.credentials=

ldap.search.mode=GROUPS
ldap.user.search.base=OU=User_Accounts,DC=hadoop,DC=hdp,DC=com;OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.user.object.class=user
ldap.user.name.attribute=sAMAccountName

ldap.group.search.base=OU=Groups,DC=hadoop,DC=hdp,DC=com
ldap.group.object.class=group
ldap.group.name.attribute=cn
ldap.group.member.attribute=member

Re: Kafka policies created in Ranger are not becoming active

upadhyayk04 — Mon, 31 Mar 2025 04:25:38 GMT

Hello @Hadoop16

Thank you for reaching out to the community

Is this a fresh setup? Also just double-check if noexec is not set /tmp

Could you please check the Kafka logs to see if there are any errors with the plugin? Also, check Ranger Admin logs

Usually, kerberos is required for Ranger

https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/security-ranger-configuring-advanced/topics/security-ranger-configure-kerberos-authentication.html

https://docs.cloudera.com/runtime/7.3.1/kafka-securing/topics/kafka-secure-ranger-enable.html

Re: Kafka policies created in Ranger are not becoming active

Hadoop16 — Tue, 01 Apr 2025 02:12:43 GMT

@upadhyayk04 Thank you! I tried with Kerberos enabled on Ranger and Kafka but still policies are downloading fine but not becoming active. I could see below error in Kafka log.

DEBUG Failed to get groups for user ANONYMOUS (org.apache.hadoop.security.UserGroupInformation) java.io.IOException: No groups found for user ANONYMOUS at org.apache.hadoop.security.Groups.noGroupsForUser(Groups.java:200)