Kafka Ranger authentication with username/password

ps3 · ‎11-29-2017

We would like to be able to authenticate users to our kafka cluster with simple username/password.

We installed HDF-3.0.1.1 Kafka, kerberized the cluster, installed ranger + kafka-plugin and added a user 'test'.
We set

sasl.enabled.mechanisms=GSSAPI, PLAIN
sasl.mechanism.inter.broker.protocol=GSSAPI

in kafka server.properties to allow the cluster to use kerberos and clients to use PLAIN authentication.

But this does not work.

The console-producer logs

INFO Successfully logged in. (org.apache.kafka.common.security.authenticator.AbstractLogin)

and after a while:

ERROR Error when sending message to topic testtopic2 with key: null, value: 28 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TimeoutException: Failed to update metadata after 60000 ms.
INFO Closing the Kafka producer with timeoutMillis = 9223372036854775807 ms. (org.apache.kafka.clients.producer.KafkaProducer)

In the meantime it continuously tries to connect to the kafka hosts.

The producer properties are:

sasl.mechanism=PLAIN
security.protocol=SASL_PLAINTEXT

and our kafka_client_jaas.conf look like this:

KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="test"
  password="XXXXXXXXX";
};

What is going wrong here or is it simply not possible to use username/password authentication with the kafka ranger plugin?

Kind Regards

Peter

cosmin_novac · ‎12-13-2017

Hi. We're struggling with the same usecase. Did you manage to find a solution?

Kafka Ranger authentication with username/password

Kafka Ranger authentication with username/password

Re: Kafka Ranger authentication with username/password