Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kafka policies created in Ranger are not becoming active

Labels:
avatar
author-rank Hadoop16
Contributor

Created ‎03-30-2025 02:17 PM

Kafka policies created in Ranger are getting downloaded but not becoming active. Using Apache Ranger 2.6 and Apache Kafka 3.6. Couldn't find any specific errors related to this issue.

Ranger and Kafka are configured with LDAP and no kerberos. What could be the possible issue? Any help is appreciated!

Ranger policies for HDFS and Hive works fine.

Below are the ldap and ranger configs in Kafka

authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer

sasl.enabled.mechanisms=PLAIN

listener.name.sasl_plaintext.sasl.enabled.mechanisms=PLAIN
listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required;
listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler

ldap.java.naming.provider.url=ldap://<ldap_host>:389
ldap.java.naming.security.authentication=simple
ldap.java.naming.security.principal=CN=<bind_user>,OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.java.naming.security.credentials=

ldap.user.name.attribute=sAMAccountName
ldap.user.object.class=user
ldap.user.search.base=OU=User_Accounts,DC=hadoop,DC=hdp,DC=com;OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com


#server properties
ldap.java.naming.provider.url=ldap://<ldap_host>:389
ldap.java.naming.security.authentication=simple
ldap.java.naming.security.principal=CN=<bind_dn>,OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.java.naming.security.credentials=

ldap.search.mode=GROUPS
ldap.user.search.base=OU=User_Accounts,DC=hadoop,DC=hdp,DC=com;OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.user.object.class=user
ldap.user.name.attribute=sAMAccountName

ldap.group.search.base=OU=Groups,DC=hadoop,DC=hdp,DC=com
ldap.group.object.class=group
ldap.group.name.attribute=cn
ldap.group.member.attribute=member

175 Views
0 Kudos
2 REPLIES 2

avatar
author-rank upadhyayk04 author-rank
Master Collaborator

Created ‎03-30-2025 09:25 PM

Hello @Hadoop16 

Thank you for reaching out to the community

 

Is this a fresh setup? Also just double-check if noexec is not set /tmp

Could you please check the Kafka logs to see if there are any errors with the plugin? Also, check Ranger Admin logs

 

Usually, kerberos is required for Ranger

https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/security-ranger-configuring-advanced/topics/s...

https://docs.cloudera.com/runtime/7.3.1/kafka-securing/topics/kafka-secure-ranger-enable.html

 

161 Views
0 Kudos

avatar
author-rank Hadoop16
Contributor

Created ‎03-31-2025 07:12 PM

@upadhyayk04 Thank you! I tried with Kerberos enabled on Ranger and Kafka but still policies are downloading fine but not becoming active. I could see below error in Kafka log.

DEBUG Failed to get groups for user ANONYMOUS (org.apache.hadoop.security.UserGroupInformation) java.io.IOException: No groups found for user ANONYMOUS at org.apache.hadoop.security.Groups.noGroupsForUser(Groups.java:200)

135 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements