Community Articles
Find and share helpful community-sourced technical articles
Labels (1)

Use case: We want to control the kafka broker, producer and consumer policies using Ranger without having kerberos. "What is a recommended way to set-up policies when trying to control access to Kafka over a non-secure channel?"

Original doc

Demo

I have defined 3 policies as shown below:

Broker, Publisher and Consumer is controlled at IP level. With one click you can revoke the access from the consumer.

Demo commands

Happy Hadooping!!!

7,280 Views
Comments

Hi Neeraj

I am trying to do exactly the same thing, ie using ranger with a non kerberized Kafka. Unfortunately I have following error :

[root@mykafka kafka]# tail -f kafka.out
[2016-06-15 15:45:34,002] WARN got exception trying to get groups for user ANONYMOUS: id: ANONYMOUS: no such user (org.apache.hadoop.security.ShellBasedUnixGroupsMapping)
[2016-06-15 15:45:34,002] WARN No groups available for user ANONYMOUS (org.apache.hadoop.security.UserGroupInformation)

The public group should be mapped to an ANONYMOUS user.

https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-Whydowehavetospecifypubl...?

Did you do something special to declare it manually within ranger ? Can you share the list of declared users within ranger ?

Thx in advance. Regards

Hum... It seems that I have to use the new publisher and consumer API, and not the old one. Now it works but I still have warnings in kafka.out... With 6 lines of warning every second, I will quickly have a problem.

Rising Star

Hi Neeraj,

I'm experiencing the same issue as "easyoups". Do you have work around?

Hi,

I had the same Exception.

I solved the problem by creating the User ANONYMOUS on the kafka broker nodes.

Contributor

Hi Neeraj,Can you tell me your ranger and kafka version ?Thank you

Expert Contributor

@Neeraj Sabharwal

- i'm having issues in getting this to work,

attaching the link with the problem summary.

https://community.hortonworks.com/questions/65928/setting-up-kafka-securty-using-apache-ranger.html#...

could you help resolve this issue ? Thnx.

Contributor

Hi, does it mean that ranger kafka plugin can not define policy among users, and only among hosts?

Don't have an account?
Version history
Revision #:
1 of 1
Last update:
‎02-15-2016 03:21 PM
Updated by:
 
Contributors
Top Kudoed Authors