Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Original Article

Can I authorize access to Kafka over a non-secure channel via Ranger?

Yes. you can control access by ip-address.

Can I authorize access to Kafka over non-secure channel by user/user-groups?

No, one can’t use user/group based access to authorize Kafka access over a non-secure channel. This is because it isn't possible to assert client’s identity over the non-secure channel.

Why do we have to specify public user group on all policies items created for authorizing Kafka access over non-secure channel?

  • Kafka can’t assert the identity of client user over a non-secure channel. Thus, Kafka treats all users for such access as an anonymous user (a special user literally named ANONYMOUS).
  • Ranger's public user group is a means to model all users which, of course, includes this anonymous user (ANONYMOUS).

What are the specific things to watch out for when setting up authorization for accessing Kafka over non-secure channel?

  • Make sure that all broker-ips have Kafka admin access to all topics, i.e. *.
  • Make sure no publishers or consumers are running on broker nodes that need access control. Since broker ips have open access it isn’t possible to control access on those nodes.

Please take time to read the original article.

1,769 Views
Comments
New Contributor

Neeraj - I followed the original article and having some issue. I noticed that once I add the group "Public" in ranger policies without adding ip address in policy condition user are able to publish and consumer from any host.

This is what i did.

13701-kafka-rangerissue.png

HDP Version: HDP-2.3.4.0-3485

-- Enables Kafka plugin in Ranger.

-- Restarted Ranger

-- Create following policies in Ranger ( see the image ) ( Important : Added group Public left policy condition blank )

-- Logged in to server 21 to Produce and consume message's

-- I was able to produce and consume messages from any server .

What we want is to secure our Kafka environment through ranger by ip address. I understand that the identity of client user over a non-secure channel is not possible.

I followed the following article to secure or Kafka environment.

https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-Whydowehavetospecifypubl...

Please let me know what I am missing.

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎01-31-2016 04:30 PM
Updated by:
 
Contributors
Top Kudoed Authors