Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger policy malfunction in kafka

Solved Go to solution
Highlighted

Ranger policy malfunction in kafka

Explorer

In kafka, I tried to execute consume/publish command with disabled all policies of Ranger, it did not deny both consume/publish behavior. Did I miss any configuration setting of kafka or misunderstanding something else?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ranger policy malfunction in kafka

Explorer

Here are some steps of enable ranger for kafka and works fine with HDP2.3.4 and Ranger 0.5.0:

1.) Enable kerberos server for cluster.

2.) In Ambari server, go to Kafka`s Configs > Advanced ranger-kafka-plugin-properties , click "Enable Ranger for Kafka".

3.) Go to Configs > Custom kafka-broker , change value of "authorizer.class.name" to "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer".

4.) Save changes and restart kafka component.

5.) Go to Ranger admin UI, then disable all policies of kafka.

6.) It should be deny Publish/Consume actions now.

View solution in original post

40 REPLIES 40
Highlighted

Re: Ranger policy malfunction in kafka

@bdurai @bganesan

I was able to reproduce this. I have only kafka user listed in Kafka policy and root can consume and produce the data "not listed in kafka policy.

1358-screen-shot-2016-01-14-at-95432-am.png

@Benson Shih

Highlighted

Re: Ranger policy malfunction in kafka

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

Is this issue resolved? I also tried to create a kafka ranger policy to exclude a select user from not creating or deleting topics. But it doesn't get enforced. I see the 200 response in Ranger Audits that Kafka plugin is up.

Highlighted

Re: Ranger policy malfunction in kafka

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

Is the Ranger plugin properly installed? For example, do you any evidence of it in Ranger Audit logs, e.g. kafaka server connecting to Ranger to download policies or access log indicating that access was allowed by ranger?

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

I will check for it

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

Please check your server.properties file and ensure you have authorizer.class.name set to Ranger Authorizer's Fully Qualified class name.

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

It`s supposes to be "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" right?

Re: Ranger policy malfunction in kafka

Contributor

Also look into the Ranger Audits from the Ranger Admin. If Ranger is allowing the request, then it will have policy which gave the permission.

Don't have an account?
Coming from Hortonworks? Activate your account here