Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Master Mentor

Use case: We want to control the kafka broker, producer and consumer policies using Ranger without having kerberos. "What is a recommended way to set-up policies when trying to control access to Kafka over a non-secure channel?"

Original doc

Demo

I have defined 3 policies as shown below:

Broker, Publisher and Consumer is controlled at IP level. With one click you can revoke the access from the consumer.

Demo commands

Happy Hadooping!!!

13,051 Views
Comments
avatar
Master Mentor
avatar
Contributor

Hi Neeraj

I am trying to do exactly the same thing, ie using ranger with a non kerberized Kafka. Unfortunately I have following error :

[root@mykafka kafka]# tail -f kafka.out
[2016-06-15 15:45:34,002] WARN got exception trying to get groups for user ANONYMOUS: id: ANONYMOUS: no such user (org.apache.hadoop.security.ShellBasedUnixGroupsMapping)
[2016-06-15 15:45:34,002] WARN No groups available for user ANONYMOUS (org.apache.hadoop.security.UserGroupInformation)

The public group should be mapped to an ANONYMOUS user.

https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-Whydowehavetospecifypubl...?

Did you do something special to declare it manually within ranger ? Can you share the list of declared users within ranger ?

Thx in advance. Regards

avatar
Contributor

Hum... It seems that I have to use the new publisher and consumer API, and not the old one. Now it works but I still have warnings in kafka.out... With 6 lines of warning every second, I will quickly have a problem.

avatar
Expert Contributor

Hi Neeraj,

I'm experiencing the same issue as "easyoups". Do you have work around?

avatar

Hi,

I had the same Exception.

I solved the problem by creating the User ANONYMOUS on the kafka broker nodes.

avatar
Contributor

Hi Neeraj,Can you tell me your ranger and kafka version ?Thank you

avatar
Expert Contributor

@Neeraj Sabharwal

- i'm having issues in getting this to work,

attaching the link with the problem summary.

https://community.hortonworks.com/questions/65928/setting-up-kafka-securty-using-apache-ranger.html#...

could you help resolve this issue ? Thnx.

avatar
Contributor

Hi, does it mean that ranger kafka plugin can not define policy among users, and only among hosts?