Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Atlas : how to secure Kafka ?

Labels:
avatar
author-rank smartdatabundle
New Member

Created ‎08-01-2017 07:08 AM

Hello,

I could access all topics on kafka without authentification.

My question : how I could secure access on kafka topics ?

Thks.

5,556 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank gmartin
Expert Contributor

Created ‎08-01-2017 08:28 AM

@Smart Data

Ranger can be used to sync users with LDAP/AD. Credentials are stored in LDAP/AD, and Ranger configured to access.

Knox is used as a proxy, but more for REST API service calls, and some UIs. It is not meant to proxy high volume traffic like Kafka messages.

View solution in original post

5,220 Views
7 REPLIES 7

avatar
author-rank gmartin
Expert Contributor

Created ‎08-01-2017 07:57 AM

@Smart Data

Atlas is more Governance related, security to a less extent.

You secure Kafka via Kerberos for authentication, and Ranger for authorization:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/index.html#bk_security

5,220 Views
0 Kudos

avatar
author-rank smartdatabundle
New Member

Created ‎08-01-2017 08:09 AM

@Graham Martin

Thks for your quick reply. Is there an alternative to Kerberos ? May be Apache Knox + LDAP ?

I went to the link: indeed, it explains only the use of Kerberos.

5,220 Views
0 Kudos

avatar
author-rank gmartin
Expert Contributor

Created ‎08-01-2017 08:28 AM

@Smart Data

Ranger can be used to sync users with LDAP/AD. Credentials are stored in LDAP/AD, and Ranger configured to access.

Knox is used as a proxy, but more for REST API service calls, and some UIs. It is not meant to proxy high volume traffic like Kafka messages.

5,221 Views

avatar
author-rank smartdatabundle
New Member

Created ‎08-01-2017 09:42 AM

@Graham Martin

Thks for your expanation. I am going to install & to use Kerberos.

5,220 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-01-2017 10:24 AM

@@Smart Data

If you intend to run a secure Hadop cluster then there is no way you can avoid Kerberos. Below are the difference between knox and kerberos.

The Apache Knox Gateway is a system that provides a single point of authentication and access. It provides the following features:

  • Single REST API Access Point
  • Centralized authentication, authorization and auditing for Hadoop REST/HTTP services
  • LDAP/AD Authentication, Service Authorization and Audit
  • Eliminates SSH edge node risks
  • Hides Network Topology

LAYERS OF DEFENSE FOR A HADOOP CLUSTER

  • Perimeter Level Security – Network Security, Apache Knox (gateway)
  • Authentication : Kerberos
  • Authorization
  • OS Security : encryption of data in network and HDFS

Apache Knox can also access a Hadoop cluster over HTTP or HTTPS

CURRENT FEATURES OF APACHE KNOX

  • Authenticate : by LDAP or Cloud SSO Provider
  • Provides services for HDFS, HCat, HBase, Oozie, Hive, YARN, and Storm
  • HTTP access for Hive over JDBC support is available (ODBC driver Support- In Future)

Hope that helps to explain.

5,220 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-01-2017 10:25 AM

@@Smart Data

If you intend to run a secure Hadop cluster then there is no way you can avoid Kerberos. Below are the difference between knox and kerberos.

The Apache Knox Gateway is a system that provides a single point of authentication and access. It provides the following features:

  • Single REST API Access Point
  • Centralized authentication, authorization and auditing for Hadoop REST/HTTP services
  • LDAP/AD Authentication, Service Authorization and Audit
  • Eliminates SSH edge node risks
  • Hides Network Topology

LAYERS OF DEFENSE FOR A HADOOP CLUSTER

  • Perimeter Level Security – Network Security, Apache Knox (gateway)
  • Authentication : Kerberos
  • Authorization
  • OS Security : encryption of data in network and HDFS

Apache Knox can also access a Hadoop cluster over HTTP or HTTPS

CURRENT FEATURES OF APACHE KNOX

  • Authenticate : by LDAP or Cloud SSO Provider
  • Provides services for HDFS, HCat, HBase, Oozie, Hive, YARN, and Storm
  • HTTP access for Hive over JDBC support is available (ODBC driver Support- In Future)

Hope that helps to explain.

5,220 Views

avatar
author-rank smartdatabundle
New Member

Created ‎08-01-2017 12:22 PM

@Geoffrey Shelton Okot thks for this explanation.

5,220 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
View More Announcements