Support Questions
Find answers, ask questions, and share your expertise

How add external user to access AD Kerberized Kafka



Maybe this question has been managed but after struggling a week with kerberos i can not find the right way to do it:


  • 3-node-PoC Hadoop cluster (hadoop-1. 2 and 3)
  • Kerberized against windows AD 2012r2

What is working:

  • Inside the nodes, it is possible to consume and produce messages to a topic created using > ./bin/ --zookeeper hadoop-1.poc.domain.tld:2181 --topic test_topic --from-beginning --security-protocol PLAINTEXTSASL

I know that if i provide the kafka/hadoop-X.poc.domain.tld to anynone and then he runs a kinit -kt keytab, should work but this is not a secure way to do so. I want to create new users or even better, grant to AD users the possibility to using is own credentials and kerberos, access the kafka brokers and being authorized by Ranger.

Ranger is running but at the moment it is connected only to the unix account: has to be connected to AD to get this working?

Sorry if this question is one like "how i can be rich" but i am a little lost.

I managed to using this guide create a kafkapro4 user and i copied the keytab to the hadoop-X nodes on the right folder. But when i want to run the kinit -kt keytab ServiceAccout, it answer me:

kinit -kt kafkapro.service.keytab kafkapro/hadoop-1.poc.domain.local@domain.LOCAL
kinit: Client 'kafkapro4/hadoop-1.poc.domain.local@DOMAIN.LOCAL' not found in Kerberos database while getting initial credentials

So i am quite a bit lost how to manage it.


Re: How add external user to access AD Kerberized Kafka

@Nicolas Tobias

If you have users in AD/LDAP that you want to grant permissions to via Ranger, then you'll need to configure Ranger to sync with AD/LDAP. Another alternative is to use something like SSSD at the OS layer which would make AD/LDAP accounts appear as local UNIX accounts. Then that should be transparent to Ranger.

I think that might do what you are looking for, but I'm not really a Kerberos expert.

Re: How add external user to access AD Kerberized Kafka


Finally we go without Kerberos. it is really a pain.

We will research go for Knox with SSL and LDAP......i think i will live better rather to have such pain of Kerberos 🙂