https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/63127#M72790 <P>Yes it worked after disabling Sentry in Kafka configuration in Cloudera Manager. Will need to understand how Sentry can work with Kafka without Kerberos. Thanks.</P> Thu, 28 Dec 2017 13:11:02 GMT ebeb 2017-12-28T13:11:02Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/62986#M72788 <P>Hi Kafka experts,</P><P>I have enabled KAFKA 2.2.x parcel (kafka version 0.10.2) in CDH 5.12. When I run a basic producer or consumer command such as:</P><P>&nbsp;</P><P>[root@~]# /opt/cloudera/parcels/KAFKA-2.2.0-1.2.2.0.p0.68/lib/kafka/bin/kafka-console-producer.sh --broker-list xyz1.com:9092 xyz2.com:9092 --topic topic1<BR />SLF4J: Class path contains multiple SLF4J bindings.<BR />SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.2.0-1.2.2.0.p0.68/lib/kafka/libs/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class]<BR />SLF4J: Found binding in [jar:file:/opt/cloudera/parcels/KAFKA-2.2.0-1.2.2.0.p0.68/lib/kafka/libs/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]<BR />SLF4J: See <A href="http://www.slf4j.org/codes.html#multiple_bindings" target="_blank">http://www.slf4j.org/codes.html#multiple_bindings</A> for an explanation.<BR />SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]<BR />17/12/21 12:54:21 INFO producer.ProducerConfig: ProducerConfig values:<BR />acks = 1<BR />batch.size = 16384<BR />block.on.buffer.full = false</P><P>....</P><P>&nbsp;</P><P>ssl.truststore.location = null<BR />ssl.truststore.password = null<BR />ssl.truststore.type = JKS<BR />timeout.ms = 30000<BR />value.serializer = class org.apache.kafka.common.serialization.ByteArraySerializer</P><P>17/12/21 12:54:21 INFO utils.AppInfoParser: Kafka version : 0.10.2-kafka-2.2.0<BR />17/12/21 12:54:21 INFO utils.AppInfoParser: Kafka commitId : unknown</P><P><BR />hello hello</P><P><BR /><FONT color="#FF0000">17/12/21 12:56:26 WARN clients.NetworkClient: Error while fetching metadata with correlation id 1 : {topic1=UNKNOWN_TOPIC_OR_PARTITION}</FONT><BR />17/12/21 12:56:27 WARN clients.NetworkClient: Error while fetching metadata with correlation id 2 : {topic1=UNKNOWN_TOPIC_OR_PARTITION}<BR />17/12/21 12:56:27 WARN clients.NetworkClient: Error while fetching metadata with correlation id 3 : {topic1=UNKNOWN_TOPIC_OR_PARTITION}</P><P>&nbsp;</P><P><U><STRONG>This CDH cluster has Sentry enabled but no Kerberos and no SSL. I think there is a permission issue for the user as I get the below in the /var/log/kafka/kafka-broker-xyz.log</STRONG></U></P><P>&nbsp;</P><P>2017-12-21 13:00:18,813 WARN org.apache.sentry.provider.common.HadoopGroupMappingService: Unable to obtain groups for ANONYMOUS<BR />java.io.IOException: No groups found for user ANONYMOUS<BR />at org.apache.hadoop.security.Groups.noGroupsForUser(Groups.java:199)<BR />at org.apache.hadoop.security.Groups.getGroups(Groups.java:222)<BR />at org.apache.sentry.provider.common.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:60)<BR />at org.apache.sentry.provider.common.ResourceAuthorizationProvider.getGroups(ResourceAuthorizationProvider.java:167)<BR />at org.apache.sentry.provider.common.ResourceAuthorizationProvider.doHasAccess(ResourceAuthorizationProvider.java:97)<BR />at org.apache.sentry.provider.common.ResourceAuthorizationProvider.hasAccess(ResourceAuthorizationProvider.java:91)<BR />at org.apache.sentry.kafka.binding.KafkaAuthBinding.authorize(KafkaAuthBinding.java:212)<BR />at org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.authorize(SentryKafkaAuthorizer.java:63)<BR />at kafka.server.KafkaApis$$anonfun$kafka$server$KafkaApis$$authorize$1.apply(KafkaApis.scala:343)<BR />at kafka.server.KafkaApis$$anonfun$kafka$server$KafkaApis$$authorize$1.apply(KafkaApis.scala:343)<BR />at scala.Option.forall(Option.scala:247)<BR />at kafka.server.KafkaApis.kafka$server$KafkaApis$$authorize(KafkaApis.scala:343)<BR />at kafka.server.KafkaApis$$anonfun$39.apply(KafkaApis.scala:838)<BR />at kafka.server.KafkaApis$$anonfun$39.apply(KafkaApis.scala:838)<BR />at scala.collection.TraversableLike$$anonfun$partition$1.apply(TraversableLike.scala:314)<BR />at scala.collection.TraversableLike$$anonfun$partition$1.apply(TraversableLike.scala:314)<BR />at scala.collection.immutable.Set$Set1.foreach(Set.scala:94)<BR />at scala.collection.TraversableLike$class.partition(TraversableLike.scala:314)<BR />at scala.collection.AbstractTraversable.partition(Traversable.scala:104)<BR />at kafka.server.KafkaApis.handleTopicMetadataRequest(KafkaApis.scala:838)<BR />at kafka.server.KafkaApis.handle(KafkaApis.scala:83)<BR />at kafka.server.KafkaRequestHandler.run(KafkaRequestHandler.scala:62)<BR />at java.lang.Thread.run(Thread.java:745)<BR /><FONT color="#FF0000">2017-12-21 13:00:19,067 WARN org.apache.sentry.provider.common.HadoopGroupMappingService: Unable to obtain groups for ANONYMOUS</FONT></P><P>&nbsp;</P><P>What is the correct way to setup the Sentry authorization to give permission to the user on kafka? Any blog or instructions will be greatly appreciated. Thanks!</P> Fri, 16 Sep 2022 12:39:57 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/62986#M72788 ebeb 2022-09-16T12:39:57Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/63123#M72789 <P>hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/23837">@ebeb</a></P><P>&nbsp;</P><P>You need to disable <SPAN>Sentry Service in kafka configuration</SPAN>&nbsp;if you are not using it.</P> Thu, 28 Dec 2017 11:19:01 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/63123#M72789 RajeshBodolla 2017-12-28T11:19:01Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/63127#M72790 <P>Yes it worked after disabling Sentry in Kafka configuration in Cloudera Manager. Will need to understand how Sentry can work with Kafka without Kerberos. Thanks.</P> Thu, 28 Dec 2017 13:11:02 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/63127#M72790 ebeb 2017-12-28T13:11:02Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/63128#M72791 It should work without kerberos as well. I haven't tried it but you can give it a try. Thu, 28 Dec 2017 13:16:22 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/63128#M72791 RajeshBodolla 2017-12-28T13:16:22Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/65234#M72792 <P>What is the meaning of having kafka-sentry, when you don't have kerberos enabled?</P><P>For the moment, Kerberos is the only authentication engine supported by Kafka. When you don't have Kerberos enabled, all connection are treated the same. As you can see from the log, it thinks that the username is ANONYMOUS, that's why it tries to find the group that this user belongs to.</P><P>Since, the local system is not aware of any user (either local or synced to an LDAP/AD) with the name "ANONYMOUS", there is no group retrieved, so it cannot be matched to any kafka-sentry rule.</P><P>&nbsp;</P><P>It is normal that it will fail.</P><P>&nbsp;</P><P>Of course, you can create a user account "ANONYMOUS", assign it to a group and define a kafka-sentry rule with this group. But what is the meaning to that? All connections will have the same permissions.</P> Fri, 09 Mar 2018 14:26:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Kafka-Sentry-authorization-HadoopGroupMappingService-Unable/m-p/65234#M72792 GeKas 2018-03-09T14:26:53Z