Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kafka policies created in Ranger are not becoming active

Labels:
avatar
author-rank Hadoop16
Contributor

Created ‎03-30-2025 02:17 PM

Kafka policies created in Ranger are getting downloaded but not becoming active. Using Apache Ranger 2.6 and Apache Kafka 3.6. Couldn't find any specific errors related to this issue.

Ranger and Kafka are configured with LDAP and no kerberos. What could be the possible issue? Any help is appreciated!

Ranger policies for HDFS and Hive works fine.

Below are the ldap and ranger configs in Kafka

authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer

sasl.enabled.mechanisms=PLAIN

listener.name.sasl_plaintext.sasl.enabled.mechanisms=PLAIN
listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required;
listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler

ldap.java.naming.provider.url=ldap://<ldap_host>:389
ldap.java.naming.security.authentication=simple
ldap.java.naming.security.principal=CN=<bind_user>,OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.java.naming.security.credentials=

ldap.user.name.attribute=sAMAccountName
ldap.user.object.class=user
ldap.user.search.base=OU=User_Accounts,DC=hadoop,DC=hdp,DC=com;OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com


#server properties
ldap.java.naming.provider.url=ldap://<ldap_host>:389
ldap.java.naming.security.authentication=simple
ldap.java.naming.security.principal=CN=<bind_dn>,OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.java.naming.security.credentials=

ldap.search.mode=GROUPS
ldap.user.search.base=OU=User_Accounts,DC=hadoop,DC=hdp,DC=com;OU=Service_Accounts,DC=hadoop,DC=hdp,DC=com
ldap.user.object.class=user
ldap.user.name.attribute=sAMAccountName

ldap.group.search.base=OU=Groups,DC=hadoop,DC=hdp,DC=com
ldap.group.object.class=group
ldap.group.name.attribute=cn
ldap.group.member.attribute=member

1,176 Views
0 Kudos
2 REPLIES 2

avatar
author-rank upadhyayk04 author-rank
Master Collaborator

Created ‎03-30-2025 09:25 PM

Hello @Hadoop16 

Thank you for reaching out to the community

 

Is this a fresh setup? Also just double-check if noexec is not set /tmp

Could you please check the Kafka logs to see if there are any errors with the plugin? Also, check Ranger Admin logs

 

Usually, kerberos is required for Ranger

https://docs.cloudera.com/cdp-private-cloud-base/7.3.1/security-ranger-configuring-advanced/topics/s...

https://docs.cloudera.com/runtime/7.3.1/kafka-securing/topics/kafka-secure-ranger-enable.html

 

1,162 Views
0 Kudos

avatar
author-rank Hadoop16
Contributor

Created ‎03-31-2025 07:12 PM

@upadhyayk04 Thank you! I tried with Kerberos enabled on Ranger and Kafka but still policies are downloading fine but not becoming active. I could see below error in Kafka log.

DEBUG Failed to get groups for user ANONYMOUS (org.apache.hadoop.security.UserGroupInformation) java.io.IOException: No groups found for user ANONYMOUS at org.apache.hadoop.security.Groups.noGroupsForUser(Groups.java:200)

1,136 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements